Policies and Procedures
Acceptable Use of Information Technology Resources Policy

The State University of New York College of Environmental Science and Forestry’s (ESF) technology infrastructure exists to support teaching, learning, research, administrative, and other activities of the College necessary to fulfill its mission. Access to these resources is a privilege that should be exercised responsibly, ethically, and lawfully.

Reason for Policy

The purpose of this policy is to clearly establish each member of the College’s role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable ESF to implement a comprehensive system-wide Information Security Program. Furthermore, New York State IT policies require campus workforce to abide by Acceptable Use Policies. 

References

Policy Office: Executive Director for Administration 
Contact: [email protected]

• Gramm-Leach-Bliley Act (GLBA, 314.4)
• Family Educational Rights and Privacy Act (FERPA)
• NIST 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations
• NYS Information Technology Policy (NYS-P03-002)
• NYS Acceptable Use of Information Technology Resources (NYS-P14-001)
• NYS Freedom of Information Law (FOIL)
• NYS Information Security Breach and Notification Act (Section 208 of the State Technology Law)
• ESF Information Security Policy #401
• ESF Data Governance Policy #403
• ESF Electronic Mail System Usage Policy #405
• SUNY Policy 6900 – Information Security Policy

Contacts

Specific questions should be directed to the following:

Policy Clarification and General Information Policy Development
Chief Information Security Officer
(315) 470-6642
[email protected]

Definitions

• Computing and Network Resources - Refers to computing technology owned, leased, operated, and managed by the College, including but not limited to hardware, software, electronic mail systems, web hosting, applications, storage media, databases, and Internet connectivity. Also included are physical resources such as College-owned, -leased, -operated, or -managed computers, network cabling, wireless access points, computer workstations, kiosks, card swipes, printers/copiers, audio-visual equipment, telephone/fax equipment, classroom equipment, or wiring closets. Further, computing resources encompass all college voice and data networks, telephone systems, telecommunications infrastructure, communications systems and services, and physical facilities.
• Users - All who access or use the College's information technology (IT) resources including, but not limited to students, faculty, staff, alumni, visiting scholars, contractors, consultants, other affiliates, and campus visitors.
• Institutional Data - Refers to data that is created, collected, maintained, recorded, or managed by the college, its staff, and agents.
• Restricted Information - Information that if compromised, could result in significant legal, regulatory, financial, or reputational damage to ESF. Examples include, but are not limited to, social security or credit card numbers.

Privacy

Except for any privilege or confidentiality recognized by law, individuals have no legitimate expectation of privacy during any use of the College's IT resources or with respect to any data contained in those resources. The College will comply with, and respond to, all validly issued legal processes, including subpoenas.  Any use may be monitored, intercepted, recorded, read, copied, accessed, or captured in any manner including in real time, and used or disclosed in any manner, by authorized personnel without additional prior notice to users. Periodic monitoring may be conducted of systems used, including but not limited to all computer files and all forms of electronic communication (including email, text messaging, instant messaging, telephones, computer systems and other electronic records). In addition to the notice provided in this policy, users may also be notified with a warning banner text at system entry points where users initially sign on about being monitored and may be reminded that unauthorized use of the College's IT resources is not permissible.  Additionally, by connecting privately owned smart phones or other IT resources to the College’s network, users consent to the College use of scanning programs for security purposes on those resources while attached to the network whether through a wired or wireless connection.

Freedom of Information Law (FOIL)

Under the provisions of the Freedom of Information Law (FOIL), individuals have the right to access certain information held by the College. While ESF is committed to maintaining the security and confidentiality of sensitive and proprietary information, users should be aware that their interactions and communications within our systems and networks could potentially be subject to disclosure requests under FOIL. As a result, it is imperative that all users exercise prudent judgment and adhere to the guidelines outlined in this policy to help safeguard both the College’s interests and the privacy of individuals involved.

Roles and Responsibilities

ESF reserves the right to protect, repair, and maintain the College’s computing equipment and network integrity. In accomplishing this goal, ESF IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and Internet activities. Any information obtained by IT Department personnel about a user through routine maintenance of ESF’s computing equipment or network is to remain confidential, unless the information pertains to activities that are not compliant with acceptable use of ESF’s computing and network resources.

Enforcement

Users who violate this policy and any related procedures may be denied access to organizational resources and may be subject to penalties and disciplinary action both within and outside of ESF.  The College may temporarily suspend or block access to an account prior to the initiation or completion of disciplinary procedures when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the College or other computing resources and network or to protect ESF from liability.  ESF discipline, if deemed necessary, may include termination of employment consistent with the terms and conditions of the Collective Bargaining Agreement, where applicable.

Exceptions

To request an exception, submit a request to ESF’s Computing Network Service’s Helpdesk. Requests must be based on a risk-based approach and contain the following information:

• Why the exception is
• The duration of the exception
• Compensating controls that are in place to mitigate risks associated with the exception

Policy exceptions require approval by the Chief Information Officer, or their designee, and a member of executive leadership. They must be retained for record keeping.

Policy Details

Activities related to ESF’s mission take precedence over computing pursuits of a more personal or recreational nature. Any use that disrupts the College’s mission is prohibited.

Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of information technology resources generally respects individuals’ privacy, but subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of ESF’s computing and network resources must adhere to the requirements enumerated below.

1. Incidental Personal Use: Incidental personal use by authorized users is permitted as long as the use:
   1. Complies with the requirements of this policy and all ESF policies;
   2. Is limited in frequency and duration;
   3. Does not incur additional costs to the College;
   4. Does not interfere with official business or the execution of the employee’s job duties; and
   5. Is consistent with applicable law.

   Exercising good judgment regarding incidental and necessary personal use is important.  The College may revoke or limit this privilege at any time.

2. Fraudulent and Illegal Use: ESF explicitly prohibits the use of any information system for fraudulent or illegal purposes. While using any of the College’s information systems, a user must not engage in any activity that is illegal under local, state, federal, or international law. As a part of this policy, users must not:
   1. Violate the rights of any individual or company involving information protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by ESF.
   2. Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the College does not have a legal license.
   3. Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
   4. Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.

   Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify his/her manager immediately.

   Any user that creates liability on behalf of ESF due to inappropriate use of the College’s resources may face disciplinary actions in accordance with Section 8.0 Enforcement of this policy.

3. Confidential Information: ESF has both an ethical and legal responsibility to protect confidential information. To that end, there are some general positions that the College has taken, including but not limited to:
   1. Transmission of institutional data by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is prohibited.
   2. The writing or storage of sensitive institutional data (e.g., FERPA or HIPAA protected information) on personal mobile devices and removable media is prohibited. Mobile devices that access institutional data will be protected by strong access controls, have current updates installed, and be physically secured when not in use to minimize the risk of unauthorized access.
   3. All users will use approved workstations or devices to access ESF’s data, systems, or networks. Non-ESF owned workstations that store, process, transmit, or access Restricted information are prohibited. Accessing, storage, or processing ESF information on home computers is prohibited, unless previously authorized.
   4. No user should have administrator rights on their approved workstation.
   5. Users requiring specific software installations, system configurations, or other administrative tasks must request assistance from the IT department.
   6. All ESF portable workstations will be securely maintained when in the possession of workforce members. Such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
   7. Photographic, video, audio, or other recording equipment will not be utilized in secure areas.
   8. All information stored on workstations and mobile devices must be encrypted, using products or methods approved by IT.
   9. All users who use ESF owned workstations will take all reasonable precautions to protect the confidentiality, integrity and availability of information contained on the workstation.
   10. ESF employees and affiliates who move electronic media or information systems containing Restricted or Internal information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized use.
   11. ESF workforce members will activate their workstation locking software whenever they leave their workstation unattended or will log off from or lock their workstation when their shift is complete.
4. Harassment: ESF is committed to providing a safe and productive environment, free from harassment, for all employees. For this reason, users must not:
   1. Use the College’s information systems to harass any other person via e-mail, telephone, or any other means; or
   2. Actively procure or transmit material that is in violation of sexual harassment or hostile workplace laws.

   If a user feels they are being harassed through the use of the College’s information systems, the user should report it to his/her supervisor or any department head.

5. Incident Reporting: The College is committed to responding to security incidents involving personnel, ESF-owned information, or ESF-owned information assets. As part of this policy:
   1. the loss, theft, or inappropriate use of organizational access credentials (e.g., passwords, key cards, or security tokens), assets (e.g., laptop, cell phones), or other information will be reported to the IT Help Desk.
   2. No workforce member shall prevent another from reporting a security incident.
6. Malicious Activity: ESF strictly prohibits the use of information systems for malicious activity against other users, the College’s information systems themselves, or the information assets of other parties.
   1. Denial of Service: Users must not:
      1. Perpetrate, cause, or in any way enable disruption of ESF’s information systems or network communications by denial-of-service methods;
      2. Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or
      3. Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system, or network.
   2. Confidentiality: Users must not:
      1. Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access;
      2. Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;
      3. Use the same password for ESF accounts as for other non-ESF access (for example, personal ISP account, social media, benefits, email, etc.);
      4. Share passwords with other users;
      5. Attempt to gain access to files and resources to which they have not been granted permission, whether such access is technically possible, including attempting to obtain, obtaining, and/or using another user’s password;
      6. Make copies of another user’s files without that user’s knowledge and consent;
      7. Implement personal encryption keys to encrypt ESF information; or
      8. Base passwords on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports teams, etc.).
   3. Impersonation: Users must not:
      1. Circumvent the user authentication or security of any information system;
      2. Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;
      3. Create and/or use a proxy server of any kind, other than those provided by ESF, or otherwise redirect network traffic outside of normal routing with authorization; or
      4. Use any type of technology designed to mask, hide, or modify their identity or activities electronically.
   4. Network Discovery: Users must not:
      1. Use a port scanning tool targeting either ESF’s network or any other external network, unless this activity is a part of the user’s normal job functions such as a member of the IT Department conducting vulnerability scans;
      2. Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the users unless this activity is part of the user’s normal job functions; or
      3. Connect personally owned routers to ESF network connections or create mobile hotspots.
7. Objectionable Content: ESF prohibits the use of organizational information systems for accessing or distributing content that other users may find objectionable. Users must not post, upload, download, or display messages, photos, images, sound files, text files, video files, newsletters, or related materials considered to be:
   1. Political
   2. Discriminatory
   3. Hate speech
   4. Sexually explicit
   5. Violent or promoting violence
8. Hardware and Software: The College prohibits the use of any hardware or software that is not purchased, installed, configured, tracked, and managed by the College. Users must not:
   1. Install, attach, connect, or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any organizational information system without the knowledge and permission of Information Technology;
   2. Download, install, disable, remove, or uninstall software of any kind, including patches of existing software, to any organizational information system without the knowledge and permission of the ESF’s IT Department; or
   3. Use personal flash drives, or other USB based storage media, without prior approval from IT.
9. Messaging: ESF provides a robust communication platform for users to help the College fulfill its mission. Users must not:
   1. Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism;
   2. Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);
   3. Solicit electronic messages for any other digital identifier (e.g., e-mail address, social handle, etc.), other than that of the poster’s account, with the intent to harass or to collect replies; or
   4. Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.
10. Remote Working: When working remote, users must:
    1. Safeguard and protect any College-owned or managed computing assets to prevent loss or theft.
    2. Not utilize personally owned computing devices for ESF work, including transferring College information to personally owned devices, unless approved by the IT Department.
    3. Take reasonable precautions to prevent unauthorized parties from accessing computing assets or viewing ESF information processed, stored, or transmitted on College-owned assets.
    4. Not access or process confidential or sensitive information in public places or over public, insecure networks.
    5. Only use IT approved methods for connecting to ESF’s systems.
11. Social Media: To limit the universities risk exposure related to the use of social media sites/software:
    1. Employees shall not claim to represent ESF in social media postings or messages unless specifically authorized to do so by Office of Communications & Marketing.
    2. Personal use of any chat or streaming media service as a representative of ESF shall not be permitted without explicit approval from Office of Communications & Marketing.
    3. Access to social media sites must comply with the following:
       1. Accounts credentials used to access social media sites must be configured with unique pass phrases and provided to Office of Communications & Marketing.
       2. Accounts used to access social media sites, where possible, must be configured to use multi-factor authentication.
    4. Employees must not, under any circumstances, defame or otherwise discredit the products or services of ESF, their partners, affiliates, students, vendors, or other institutions.
    5. Postings shall not use ESF’s logo, trademark, proprietary graphics or photographs of the university’s premises or personnel without explicit approval from Office of Communications & Marketing.
    6. Postings, whether business-related or personal, must not contain information that ESF considers derogatory or damaging to the university’s reputation and goodwill. Any such posts, even those made anonymously, are subject to investigation and appropriate remedial action.
12. Other: In addition to the other parts of this policy, users must not:
    1. Use the College’s information systems for commercial use or personal gain; or
    2. Use the College’s accounts/credentials/email with or for personal websites, services, and/or accounts, including but not limited to banking, file sharing, shopping, video streaming, dating sites and others.

History

Procedure Revision Record

02/05/2026  Implementation Date

Policy Revision Record

02/05/2026  Policy Implementation