Kansas State University

  1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3410: Acceptable Use

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Acceptable Use

Chapter 3410
Created February 14, 2025

Table of Contents

.010 Purpose
.020 Scope
.030 Definitions
.040 Policy
.050 Roles and Responsibilities
.060 Exceptions
.070 Policy Violations
.080 Periodic Review and Policy Updates
.090 Related Regulations and Laws

This Acceptable Use Policy (AUP) governs all users in the acceptable use of the University’s Information Technology Resources and communications networks within a culture of openness, trust, and integrity. The University’s technology resources are crucial for supporting the missions and operations of the University, and the University is committed to protecting itself and its students, faculty, and staff from unethical, illegal, or damaging actions by individuals using these systems.

.010 Purpose

The purpose of this policy is to outline the ethical and acceptable use of information technology, systems, and data at the University, ensuring that members of the University community have access to reliable and secure Information Technology Resources while upholding freedom of expression, academic inquiry, and respecting individual rights. By promoting responsible use and safeguarding against unauthorized or malicious activities, the University aims to protect its community from security risks, legal repercussions, reputational damage, and resource misuse, thereby maintaining a safe, open, and productive environment for scholarly pursuits and the free exchange of ideas.

.020 Scope

This AUP applies to faculty, staff, students, administrators, visitors, and all other users utilizing University computing resources to access and share information for educational, research, and public service purposes while upholding ethical standards and legal compliance.

Users are required to abide by this policy, and violations may lead to access restrictions, content removal, or other disciplinary or risk mitigation measures.

.030 Definitions

For clarity and to ensure a common understanding of terms used in this policy, please refer to the Glossary of Defined Terms which provides detailed definitions for all key concepts and terminology.

.040 Policy

Permitted Uses

University Information Systems are primarily for university-related use.

  1. Compliance: Users are required to comply with all applicable federal, state, and local, laws, regulations, rules, and legal processes, and all University policies, including but not limited to those regulations regarding Information System and Information Technology Resource use. Users are responsible for reporting any actual or suspected misuse. Violations may result in disciplinary action and loss of system access.

  2. Limitations on Permitted Personal Use: Limited personal use of Information Systems by University employees is permitted if it adheres to this policy, does not disrupt University operations, or interferes with an employee’s performance of their job duties or expectations. Employees’ personal use of Information Systems may also be restricted by the University if it excessively consumes Information Systems resources (such as storage capacity or network bandwidth) or excessively consumes utilities provided by the University (such as electricity).

    Users are expected to use good judgment when using University Information Technology Resources for non-University business. Users should not use University Information Technology Resources to store highly sensitive or personal data. This includes, but is not limited to, personal financial information, tax records, personal health information, data in which other person(s) are the subject, and other data that can subject the University to legal, financial, and/or compliance risk should it become compromised.
Access

Access to University information systems, with the exception of guest wireless internet, is restricted to individuals who have received formal authorization granted through an official process established by the University.

  1. Access Adjustment: As individuals' relationships with the University change, their authorized access to systems, services, and data will be modified in strict accordance with the guidelines established by relevant University policies. This ensures the security and integrity of our Information Systems while upholding the principles of accountability and data protection within our community.
Misuse of Computers and Network Systems

  1. Prohibition of Misuse: Misuse of University Information Systems is strictly prohibited and includes, but is not limited to, the following actions:

    1. Unauthorized modification, maintenance, or removal of Endpoints and Information Systems.
    2. Unauthorized access to Information Systems associated with the University (i.e., using another user’s account, sharing account credentials, etc.)
    3. Unauthorized actions that interfere with others' access to Information Systems.
    4. Circumventing authentication and authorization controls.
    5. Using Information Systems for illegal or unauthorized purposes or in violation of applicable University policy.
    6. Circumventing required security measures for Information Systems.
    7. Processing or moving University records and data to non-University owned Information Systems or systems that do not meet University security control standards.
    8. Violating software licenses or copyrights, including the use of personally owned or licensed software.
    9. Disclosing proprietary information without authorization.
    10. Forgery, alteration, or misuse of records.
    11. Hoarding, damaging, or interfering with academic resources electronically.
    12. Stealing others' works or misrepresenting one's own work.
    13. Compromising the integrity of research as described in the Policy on Integrity in Research and Scholarly Activity.
    14. Launching malicious programs or attacks.
    15. Engaging in any activity that violates local, state, or federal law or University policies
    This list is not all-inclusive, and users should use their best judgment when using University Information Systems. If users are unsure about whether an activity is considered acceptable use, they should contact the Division of Information Technology or their supervisor and/or respective Data Steward. 
Privacy
  1. Privacy Acknowledgment: Users acknowledge that privacy on University Information Systems is not guaranteed.
  2. Monitoring and Access: The University reserves the right to monitor files, emails, and data for legal and policy compliance and business purposes. Monitoring may include but is not limited to circumstances in which:
    1. Information that the user has given permission to access or has voluntarily given access to, such as posts to publicly accessible websites or systems and/or posts to publicly accessible network services.
    2. Monitoring is reasonably necessary to protect the integrity, security, or functionality of the University's computing resources or to protect the University from liability.
    3. There is reason to believe the user has violated or is violating, this or other University policies or applicable legal and regulatory requirements.
    4. An account appears to be engaged in unusual activity detected during the course of reviewing general system activities, usage patterns, or as indicated by detective security mechanisms.
    5. Activities conducted to maintain the University’s computing resources, including, but not limited to, backup and caching of data and communications, logging of activity, review of patterns of user activity, scanning of systems and networks for anomalies and vulnerabilities.

    6. It is otherwise required or permitted by Law, Policy, or other legal authority.

  3. Repair and Maintenance Access: Authorized IT personnel may access user files or data as necessary during repair or maintenance activities, strictly adhering to their designated tasks and not for personal use.
    1. Compliance with Legal Requests: The University will comply with lawful requests such as public records requests, administrative or judicial orders, and law enforcement investigations requiring access to electronic data and records stored in the University’s Information Systems.
    2. Response to Misuse or Policy Violations: Users should not expect privacy in data, email, or other information on university systems. The University may monitor and inspect user activities, files, and Information Systems if misuse or policy violations are suspected, following proper review and approval procedures outlined in the policy.
    3. Business Operations Access: In cases of employee unavailability or refusal to provide necessary information for business operations, authorized offices may grant access to data and records after consultation and approval from relevant authorities, ensuring continuity of university operations.

Unless otherwise required by applicable law, legal process, or policy, any monitoring, access, or investigation described above must be authorized in advance by the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO). The CIO or CISO will work with the appropriate Cabinet-level administrator(s) and/or President before giving approval to proceed.

The University, at its discretion, through the CIO or CISO, may disclose the results of any such general or individual monitoring and information accessed, including but not limited to the contents and records of individual communications, to appropriate University personnel and/or in reporting to appropriate authorities. The University also may use those results in disciplinary proceedings and as the University otherwise deems necessary. Additionally, communications made by means of University computing resources are generally subject to the Kansas Open Records Act to the same extent as they would be if made on paper.

Email

  1. University Email Accounts: Faculty and staff must use University email accounts for official University business communications in accordance with defined policies. University email accounts are those with the domain name @KSU.edu or other University-approved vanity domain names used by specific departments or units for official purposes.

    Departmental or personal email accounts that are not University-approved (i.e., external providers such as Gmail, Yahoo, etc.) must never be used for  University business communications.

  2. Automated Email Forwarding: Automated forwarding of email from a university email account to non-University email addresses is prohibited. However, forwarding to other University-sanctioned K-State email addresses, such as those with approved domains (include, but not limited to: vet.k-state.edu,phys.ksu.edu, kstatesports.com, k-state.com), is permitted as long as it complies with applicable policies.

  3. Email Best Practices: Users should not assume privacy in emails and must be cautious with attachments and mass distribution messages, adhering to copyright laws and license agreements.
  4. Manual Email Forwarding: Users may manually forward emails to non-University addresses for business-related purposes, so long as the information forwarded does not violate applicable law or University policy, including the University’s Data Classification and Storage Policy (insert link).
  5. Email Retention: Emails must be retained in accordance with applicable records retention policies and schedules. After fulfilling the retention requirements, emails and attachments should be deleted when no longer needed. Email retention times must comply with the University’s Data Classification and Storage policy (insert link).  
Websites, Apps and Digital Content
  1. Official University Digital Properties: Websites, pages, mobile apps, and web apps published under official University domains must adhere to established standards. They are considered official University publications and must prominently display the administrative unit's logo.
  2. Logo Usage: Unauthorized use of university logos on digital properties is prohibited without express written permission from the University.
  3. Compliance Requirements: Publishers of University websites, apps, and digital content must comply with university policies and all applicable laws and regulations, including but not limited to copyright, accessibility, privacy, and security laws.
  4. Content Accuracy: Publishers are responsible for ensuring the accuracy of content on digital properties and must review it regularly. Feedback mechanisms for users should be provided on websites and apps.
  5. External Accounts:  University and campus-affiliated accounts on external services (e.g., social media platforms) are considered University property. Content posted on these accounts must align with university policies.
Information Systems Security
  1. Endpoint Management Services:  The University’s IT organization provides enterprise-wide endpoint management services for securely managing University Endpoints and Systems in compliance with security standards.
  2. Exception Process: Requests to exempt Endpoints and Information Systems from the provided management services must follow the IT policy exception process.

  3.  Key Requirements:

    1. All University-owned, controlled, protected, or authorized Endpoints and Information Systems must follow the requirements set forth in the Computer Standards Policy.
    2. All University-owned, controlled, protected, or authorized Endpoints and Information Systems must be inventoried and managed using enterprise-wide endpoint management services.
    3. Access control measures must be enabled on all University-owned, controlled, protected, or authorized Endpoints and Information Systems.
    4. Mandatory installation and regular updates of endpoint device management, inventory software, and antivirus/anti-malware and/or endpoint protection software on All University-owned, controlled, protected, or authorized Information Systems.
    5. Non-compliant Endpoints and Systems must still adhere to security control standards and configuration management guidelines.
    6. Multi-factor Authentication must be used at all times when accessing Non-Public University data as defined in the Data Classification and Storage Policy.
Information Security Review

All University Information Systems procured or developed with university resources will be subject to inventory, scanning, and security review as required in the Risk Management Policy.

Removable Media/Media Protection
  1. Removable Media: Removable media is meant for data transfer between Information Systems and not for storage, long-term archiving, or storage of Information Systems backup data.
  2. Data Storage: University data and records should be stored exclusively on University Information Systems as outlined in the Data Classification and Storage Policy.
  3. Data Encryption: Removable Media can be used to transfer high or medium-risk data only if the data or media is encrypted as per the Data Classification and Storage Policy.
  4. Data Retention: Removable Media storing University data must comply with University Data Storage and Classification Policy and Data Retention and Disposal Policy.
  5. E-Discovery Considerations: In case of University e-discovery investigations involving Removable Media, data must be retained, and care must be taken during the data destruction process to preserve relevant data.
Password Management

To enhance cybersecurity and protect both personal and institutional data, all users are required to create strong, secure passwords that meet the complexity guidelines established in the Password Standard. The use of Information Systems that cannot conform to the Password Standard due to technical limitations must be approved by the Chief Information Security Officer.

All users must utilize their own individual, unique passwords when accessing University information technology resources and systems. The University strictly prohibits users from sharing their passwords with any other user.

Two-factor authentication, which requires proof of possession and control of two distinct authentication factors, should be used wherever possible. Two-Factor Authentication should be used for all privileged access accounts and to access the data classification levels described in the Data Classification and Storage Policy (insert link).

BYOD Devices

  1. Responsibilities: University employees, contractors, affiliates, or other authorized workforce members using personally owned devices for University-related tasks are responsible for device security, data management, incident reporting, and compliance with public records and discovery requests.

    This policy applies exclusively to individuals acting within the course and scope of their official duties for the University. It does not extend to students or members of the public, except where they have been expressly authorized to perform work on behalf of the University.

  2. Access to Restricted Data: Access, transmission, processing, or storage of Restricted Data (as defined by the University's Data Classification and Storage Policy) on personally owned devices, non-University-owned cloud services, or Removable Media devices is strictly prohibited. Any exception to this provision must be reviewed and approved through the Security Exception Management Policy.

    This policy applies to university employees, contractors, affiliates, and authorized workforce members, acting within the scope of their official duties. Exceptions for students or other individuals acting in a university-related capacity must be expressly approved by the relevant authority.

  3. Security Measures: Individuals must ensure the security of personally owned devices by applying management and control mechanisms equal to or exceeding those that are required for university-owned devices. This includes devices where University Data is accessed via an internet browser only. Units must evaluate and approve individual requests for accessing or maintaining University data on personally owned devices. Personally owned devices must be password protected, have the latest security updates applied, be free of high-risk vulnerabilities, and employ a modern anti-virus/malware solution. Personally owned devices that are shared between multiple people must not be used. Mobile devices, such as a smartphone or tablet, must use secure application based compartmentalizing capabilities to segment University Data from personal data. The University reserves the right to remotely cleanse personally owned devices of university data at any time.

    Personally owned devices should never be used or considered as a replacement for a university provided device. Employees issued a university-owned, controlled, protected, or authorized device must use that device as their primary device for University business. Further guidance on the use of personal devices can be found in the BYOD Standard.

  4. Security Awareness Training and Education: Ongoing training and education programs are required to ensure users understand their responsibility under the AUP and are aware of current cyber threats.

  5. Incident Reporting: To report any security incidents, potential breaches of this policy, or overall questions regarding this policy should be sent to [insert responsible department].

.050 Roles and Responsibilities

The Associate Vice President and Chief Information Officer (CIO) is responsible for the implementation, oversight, and maintenance of this policy. The Vice President for Administration and Finance is responsible for the final approval of this policy.

Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Associate Vice President and Chief Information Officer (CIO).

.060 Exceptions

The University recognizes that there may be academic or research pursuits that require deviations from these policies, standards, and procedures. Therefore, the University has developed an exception process that users may utilize to justify such deviations and document the associated risks.

Exceptions to any portion of this Policy require an acceptance of risk and must be jointly approved by following the Security Exceptions Management Policy.

.070 Policy Violations

The Acceptable Use of Information Technology Resources policy is enforced through the following mechanisms.

  1. Interim Measures: The University may suspend service to an individual or device in response to an actual or perceived security concern or if there is apparent or suspected misuse of university computing resources or networks.
    When practicable, reasonable efforts will be made to notify the user before service suspension unless law enforcement or system and network integrity requires immediate action. The rights and processes afforded to individuals will vary based on their relationship with the University, as outlined below:

    • Employees: Employees may be required to cooperate with reviews or investigations as part of their employment duties.
    • Students: Students are entitled to due process, which includes timely notification and an opportunity to contest actions, particularly when restrictions may affect their ability to participate in educational programs or activities.
    • Guests and Other Users: Guests and other users not affiliated with the University may have fewer rights and may experience immediate suspension of access without prior notice.
    Users will be promptly informed and given an opportunity to provide reasons in writing if they believe their use is not a violation or if they have authorization.

  2. Suspension of Services and Other Actions: Users may receive warnings, be required to agree to conditions for continued service, or have their privileges suspended if policy violations occur. The nature of the response will be proportionate to the user’s relationship with the University (e.g., employees, students, guests) and the severity of the violation.

  3. Disciplinary Action: Failure to comply with university policies may result in the loss of computing privileges, restriction of the ability of devices to connect to or be used on University networks, and other disciplinary measures as defined in [insert link to University Sanctions and/or Disciplinary Policies and Procedures]. Disciplinary actions will be consistent with the procedures applicable to the individual’s status (e.g., student, employee, guest).

University Leadership should ensure the Chief Information Security Officer (CISO) or other existing IT staff is responsible for:

  1. Determining which standards should be followed (and documenting necessary exceptions),
  2. Establishing a process to disseminate those standards,
  3. Coordinating and evaluating compliance efforts across the entire University,

In order for the University to respond to the evolving threat landscape, the University, at its discretion, may adopt changes to this policy at any time, at the discretion of the CIO.

.080 Periodic Review and Policy Updates

To ensure relevance and compliance with evolving regulatory, technological, and operational standards, this policy should undergo a comprehensive review at least annually. During this review, necessary updates will be made to reflect any new legal requirements, organizational changes, or external factors impacting policy efficacy.

.090 Related Regulations and Laws

  • State of Kansas, ITEC Information Technology Policy 1200 Acceptable Internet Use
  • State of Kansas, ITEC Information Technology Policy 7230 Enterprise Security Policy
  • State of Kansas, ITEC Information Technology Standards & Guidelines 7230A IT Security Standards