The University of Alabama, Office for Academic Affairs

Terms of Use of Electronic Accounts

Unit:  Office of Information Technology
Contact: Taylor Anderson
Title:  Chief Information Security Officer
Effective Date: 4/7/2002
Revision Date: 05/02/2022
 
 
 

Purpose

The purpose of this policy is to address the terms of use for all electronic accounts at The University of Alabama assigned to individuals for access to information on any University managed systems, networks, devices, or applications. 

Policy

Electronic Accounts

Users of University electronic accounts are granted access to University information through authorized and approved University provided accounts.  All University of Alabama information, and especially all sensitive and restricted information as defined in the Information Classification Policy, will be accessed through computer accounts established for an individual based on their role and job responsibility.  Detailed procedures define the account management processes for access to all University information and will include account request, account modification or termination based on the individual’s change in role or job responsibility, and termination of accounts based on separation or retirement.

University accounts include the individual’s identification (user ID), the authentication process (password, PIN, multi factor, token, biometric, etc.), and the authorization (access rights to information).  Authorization or access rights to University accounts shall be provided in accordance with the concept of “least privilege” meaning that an individual shall be granted access to information required to perform their job and nothing more where technically possible.

Upon employment with the University, most users are given access to a University email account and a single sign-on account.  For most job roles, wireless access is available using single sign-on. 

Individuals are responsible for the protection and privacy of their electronic accounts.  Each account is for the exclusive use of the individual to whom it is assigned.  Any unauthorized use of University accounts should be reported as an incident as defined in the Security Incident Response Procedures. No individual should be allowed access to any other individual’s account unless authorized to do so from OIT, Human Resources, Office of Counsel, UA Police Department (UAPD), or another defined authority.  Sharing of accounts is prohibited. However, employee passwords will be disclosed to appropriate University personnel, such as OIT, Human Resources, Office of Counsel, UAPD, or another defined authority, when necessary. 

The University may exercise its right to review, audit, intercept, access, and disclose all matters on its systems and networks at any time, with or without notice to the user, during or after working hours. Individuals should have no expectation of privacy in connection with the use of University accounts.

User accounts may not be used in an inappropriate manner such as, but not limited to:
  • Activities that violate any University policy;
  • Accessing information for which the user is not authorized or making attempts to circumvent or defeat account usage restrictions;
  • Use must not result in commercial gain or benefit to the user and cannot constitute consulting for a business or running a business;
  • Use that promotes commercial activities or displays paid advertising;
  • Use that violates state or federal laws or University policies on the use of University equipment, resources, email listservs or time including, but not limited to, engaging in political activities in their individual capacities as private citizens; 
  • Use that violates any copyright or license agreements;
  • Use that includes the following forms of communication, which are prohibited:
    • Obscenity
    • Defamation
    • Advocacy directed to incite or produce lawless action
    • Threats of violence against person(s) or property
    • Disruption of the academic environment
    • Discrimination or harassment due to race, sex, religion, disability, age, or other protected status 
    • False information about academic or administrative policies or issues 
  • Use that attempts to create a sexually or racially hostile work or academic environment;
  • To send, view, download, or forward abusive, threatening, obscene or harassing material;
  • Use  that may access, destroy, endanger, or divert another’s research, writing, data, or other work product without permission of the owner;
  • Use that may involve the intentional introduction of destructive software, such as programs known as computer viruses, trojan horses, ransomware, or worms, crypto currency mining software, distributed computing software, or penetration testing software into any University computer, computer system, or network without prior approval;
  • Use that may involve disclosure of passwords or identifying data that attempts to circumvent system security or in any way attempts to gain unauthorized access;
  • Use that misrepresents oneself or The University of Alabama or to otherwise violate explicit workplace policies mandated within the University or within a particular department or division.
For faculty or staff involuntary separation, electronic account access will be removed immediately upon receipt of notification instructions from Human Resources and the department. 

Email Account Management Post Employment

Non-retirement departures  

  • Faculty -- For faculty voluntary separation, access to email accounts will be removed 120 days after separation. Faculty with a legitimate email access business need that may affect University operations and/or students may request continued access for a specific time period. This request must be approved in advance by the Associate Provost for Faculty Affairs or their designee.  

  • Staff -- For staff voluntary separation, account access will be removed the day after separation.  

Retirees (effective Feb. 1, 2022) 

  • Faculty -- User email account access will continue with a retiree designation placed in the address of any outgoing messages (e.g., username@retiree.ua.edu).

  • Staff --  User email accounts will be discontinued one day after date of retirement. Staff retirees with a legitimate email business need that may affect University operations and/or students may request, with advanced approval at the direction of Human Resources, that access be continued for a specific time period. 
     
  • Faculty or staff retirees who remain on or return to the University payroll and/or have a legitimate business need affecting their participation in research, University operations or academic programs may request exclusion from the  email alias for a specific time period. This request must be approved in advance by the Associate Provost for Faculty Affairs (or designee) or appropriate associate vice president for staff. 
 Previous Retirees (prior to Feb. 1, 2022) Using University Email Accounts 
  • All current faculty and staff retiree @ua.edu email addresses currently in use will be changed to username@retiree.ua.edu.  Microsoft multi-factor authentication will continue to be required to access the account.   

 Personal Use of University Electronic Media

All electronic media systems, including voice mail, e-mail, the Internet, fax machines, hardware, software, local area networks, files, and all information composed, transmitted, accessed, received or stored in these systems, are the property of The University of Alabama. The systems are to be used for conducting University business only, and the use of this equipment  for personal purposes, commercial purposes, or for personal financial or other gain is strictly prohibited. These systems are not to be used for soliciting outside business ventures or soliciting for non-University related purposes.   Consistent with the solicitation policy, however, employees may be permitted to use electronic media systems to participate in generally acceptable solicitations (i.e., United Way agencies) or for limited incidental personal use, provided such limited use does not consume a significant amount of computing resources; does not interfere with the performance of the user’s job or other university responsibilities; does not interfere with other employees' work; does not interfere with the computing activity of other users; and does not violate applicable laws, rules, policies, contracts or licenses. Further restrictions (including an absolute prohibition of all personal uses of university provided computing resources) may be imposed upon personal use in accordance with normal supervisory procedures. 

The University may exercise its right to review, audit, intercept, access and disclose all matters on its systems at any time, with or without employee notice, during or after working hours. Employees should have no expectation of privacy in connection with the use of these systems.

Employees have an obligation to use their Internet access and e-mail in a responsible and informed way. Employees should identify themselves properly when using any electronic media system or service. They should also be careful about how they represent themselves, given that what they say or do could be interpreted as University opinion or policy. Employees should be aware that their representations could expose both the employee and University to legal liability.

Employees shall always respect intellectual property rights when obtaining information over the Internet or using e-mail. Illegal or unauthorized downloading, uploading, copying or distribution of copyrighted works as defined under the Digital Millennium Copyright Act is strictly prohibited. Employees should be aware that such infringement could result in legal liability for the employee and the University and may result in disciplinary action to the employee.
 

Definitions 

  • Authentication: Authentication is proof of the ownership and right to use a user ID.  Authentication can come in the form of one or more of the following: password; passcode; passphrase; PIN number; token number; biometrics such as fingerprint, facial recognition, palm print, etc.; or an authentication app, usually on a mobile device.
  • Authorization:  Once a user has properly identified and authenticated their identity, most computer applications or systems use the identity information to determine any access controls required for use of the application or system.  Access controls or authorizations are normally based on a user’s job role, job classification or job duties. 
  • Breach, compromised system, cyber breach event, unauthorized intrusion, cyber security incident: An incident or activity that affects the confidentiality, integrity and/or availability of a computer system or information on a computer system either intentionally or unintendedly by an untrusted source using manual or automated interactions.
  • Classification (information classification): Information classification is the process of sorting and categorizing information into various types, forms or any other distinct class. Information classification enables the separation and classification of information according to data set requirements for various business or personal objectives. It is mainly an information management process.
  • Computer account, electronic account:  Normally, the credentials required to access information, utilize a network or any other computer-based system.  Normally involves the uses of an ID, password and any other authentication requirements.
  • Computer system: A very generic term for any desktop, laptop, server, mobile phone or tablet, or any basic internet connected device that performs services such as door locks, lights, cameras, personal internet assistant, internet attached appliance, TV, etc.
  • Data Steward: A data steward is a role within an organization responsible for utilizing some portion of the University’s information governance processes to ensure fitness of data elements - both the content and metadata.
  • Retiree:  For the purpose of this policy is defined as having met all of the following criterion: 
    • At least 10 years of service at the University; AND
    • Having at least 10 years of eligible contributions to the Teachers’ Retirement System of Alabama; AND
    • Having separated from employment with the University at the time of retirement.
  • User Identification:  A user ID is the login name or method to identify the user.  Normally, this is a common user name that is utilized for most if not all computer/electronic accounts at the University.

References

Scope

This policy applies to all faculty, staff, students, retirees, affiliates and contractors that are issued and use University Electronic Accounts.
 
 

Office of the Provost

Approved by Dr. Lesley Reid, Associate Provost, 05/02/2022