Skip to main content
Policies

Appropriate Use of Information Technology Resources

1. PURPOSE

As an institution sponsored by The Church of Jesus Christ of Latter-day Saints ("Church"), Brigham Young University–Hawaii ("BYU–Hawaii" or "university") is expected to maintain professional and ethical use of its information technology (IT) resources. This policy is designed to guide students, faculty and staff in the acceptable use of IT resources at BYU–Hawaii.

2. POLICY

University information technology (IT) resources are a valuable community asset provided to eligible employees, students, and other individuals for purposes related to the university’s mission of teaching, learning, research, creative activity, and appropriate university business activities. As such, they are to be used and managed responsibly to ensure their integrity, security, and availability.

This policy prescribes the appropriate use of BYU–Hawaii’s IT resources.

Access to university IT resources is limited to university employees, students, and others authorized by the university and may be subject to legal, ethical, and university requirements.

3. IMPLEMENTATION

3.1 Definitions

3.1.1 Information Technology Resources

Information Technology Resources (IT Resources) means university-owned infrastructure, cloud services, software, and hardware with computing and/or networking capability. It includes, but is not limited to, computers, computer systems, telephones, tablets, mobile devices, classroom presentation systems, voice communications and messaging equipment, networks and networking systems, computer software, electronically stored institutional data and messages, all similar resources, and any additional technologies or services instituted to maintain these resources.

3.1.2 Personally Owned Data

Personally Owned Data means data that was not created or acquired by a university employee or campus unit for institutional purposes but belongs to an individual. Personally Owned Data includes, but is not limited to, income tax, medical, banking, financial, family, or other personal information or data that an individual might reasonably assume to be private or sensitive.

3.2 Ownership

The university retains absolute ownership rights of IT Resources. IT Resources leased, licensed, or purchased under the terms of this policy for as long as they remain within the lawful possession or control of the university.

3.3 Terms of Use

As a condition to accessing and using IT Resources, all users must:

  • comply with all applicable laws, university policies and procedures, contracts and licenses, and the Church Educational System (CES) Honor Code;
  • use only those IT Resources that the individual user is authorized to use and only in the manner and to the extent authorized;
  • not attach any device that may, in any way, endanger or disrupt the continuous and stable operation of the university network or other IT Resources, or that may compromise the confidentiality or integrity of information stored on any technology resource;
  • not share or transfer individual university accounts, including network IDs, passwords, or other access codes that provide access to IT Resources;
  • respect the privacy of other users and their accounts, devices, and data regardless of whether those elements are securely protected; and
  • respect the limitations of IT Resources and manage usage to not interfere with the activities of others.

3.4 IT Standards

To protect university systems, data, and resources, all users of IT Resources must adhere to the IT Standards.

The chief information officer (CIO), with input from the Information Technology Privacy and Security Committee, creates, approves, and updates the IT Standards.

3.5 Personal and Commercial Use of IT Resources

IT Resources may be used for incidental personal and ecclesiastical purposes. Personal or ecclesiastical use of IT Resources must not occur under circumstances that interfere with employee work responsibilities or that consume finite resources. (See Conflict of Interest)

Personally Owned Data must not be stored on or in IT Resources, except on limited, temporary bases. The university assumes no liability for Personally Owned Data that is lost or compromised.

Users must not use IT Resources for non-university commercial purposes or non-university gain, unless authorized in writing by the chief information officer.

3.6 Privacy and Monitoring

The university provides no general expectation of privacy in the use of IT Resources except as required by law.

BYU-Hawaii reserves the right to monitor and report technology use, including the use of personal devices connected to IT Resources, to the maximum extent permitted by law. All users, by their use of IT Resources, consent to such monitoring and reporting.

As permitted by law, the university may disclose to third parties data residing in IT Resources.

3.7 Reporting

All members of the university community must promptly report the following to the Office of Information Technology:

  • known or suspected breaches of data or compromises of IT Resources
  • abnormal or systematic unsuccessful attempts to compromise the university’s data or IT Resources
  • any suspected or actual weaknesses in the safeguards protecting data or IT Resources

The BYU–Hawaii Information Security Major Incident Response procedure (IRP) outlines and guides the university’s incident response.

  • In the event of an incident or breach the chief information officer will notify the university president and the President’s Council and the CES Security Operations Center (SOC) following the directions in the IRP.
  • Subsequent internal and external communications about the incident will be considered confidential and managed following the guide set out in the IRP.
  • Breech notification and reporting to third parties will be determined by contract, law and policy, with input from the CIO, chief information security officer (CISO), Office of General Counsel (OGC), and others, as appointed.

In the event of a third-party breach notification, where another entity has lost BYU–Hawaii data, the department who notified, normally the department that manages the contract, is responsible for notifying the President’s Council, as well as the CIO. The CIO will notify the SOC.

3.8 Lost Devices

Lost or stolen university-owned devices such as desktops, laptops, tablets, portable storage devices, and mobile phones should be reported as soon as possible to the Office of Information Technology.

3.9 Revocation

The university reserves the right, in its sole discretion and for any reason or no reason, to immediately revoke authorization to access or to use any or all IT Resources.

3.10 Sanctions

Employees and students who commit a violation of this policy may be subject to disciplinary actions by the university and may also be prosecuted under applicable local, state, or federal civil or criminal law. University disciplinary actions may range from counseling to dismissal, consistent with university disciplinary policies.

3.11 Disclaimers

Users use IT Resources at their own risk. Although the university makes reasonable efforts to secure its IT Resources, and strives to make its IT Resources effective and efficient, it cannot guarantee their confidentiality, integrity, and availability. The university makes no warranty or promise that IT Resources will operate as designed or as expected by the user. The university assumes no legal responsibility for any damages or losses of any kind, including but not limited to loss of Personally Owned Data or devices, arising from the failure of IT Resources. Users can minimize the risk of data loss by always backing up their data.

4. RELATED POLICIES AND PROCEDURES

Details

Policy Owner: Chief Information Officer

Executive Sponsor: Operations Vice President

Created: 03/19/2012
Last Modified: 08/20/2024
Last Reviewed: 08/20/2024
Next Review: 03/01/2026

Full revision history maintained by the Office of Compliance & Ethics.