Acceptable Use of Information Technology Resources

Thank you for the opportunity to comment on the proposed policy.

I agree with David Golden's comments that the policy appears to treat research computing environments as a uniform business environment, rather than recognizing researchers' need for non-standard software and hardware that is outside the standard enterprise IT configurations. I would not like a return to how things were when I first came to ETSU, where researchers were only allowed to have standard desktops running MS Windows and software on the standards list. In principle, exceptions were possible, but none were granted, or had conditions that were impossible to meet, even if that prevented particular kinds of research from being attempted.

Similarly, the policy appears to treat academic freedom as a minor point, rather than a central component of the university's teaching and research missions. If faculty are not allowed to use the hardward and software needed to conduct their research or teach their students, because it is specialized to their discipline and not on the standard list, what protects their academic freedom? Who gets to decide what exceptions are allowed and on what basis?

Section 1
While I understand the need to maintain security of the university's IT resources, authorizing ITS staff and contractors to access any system without notice at their own discretion, may make meeting information/data security requirements demanded by various federal agencies, corporate sponsors, etc. very difficult, or even impossible, and if that is the case, prevent those researchers from seeking grants from these agencies or companies.

Section 2.2.2
This section does not define "excessive network bandwidth." Who gets to determine what excessive is? As became apparent during the 2020-21 remote operations, live streaming multiple simultaneous lectures via Zoom in some campus buildings makes the network unusable for everyone else on those segments. Would this section require preauthorization from ITS for every streamed event to ensure that multiple Zoom sessions for lectures, thesis/dissertation defenses, etc. did not create a problem?

Section 2.2.3
The requirement to comply with all instructions, etc. without explanation is categorizing all IT resources into a single administrative category. For example, a request to vacate a workstation in a shared computer lab that would be perfectly reasonable so that ITS could perform routine (not emergency) maintenance, would not be reasonable on a research system, if that maintenance at that time would cause the loss of data, or a calculation.

Section 2.3
As other commenters have stated, while it is important that all publicly accessible university digital materials meet all federal, state and local accessibility requirements, there absolutely needs to be a distinction between unfinished work product that is not yet ready for public use, private and privileged materials that are not intended for public use and research data. For example, a common requirement for video is that it have closed captioning and a transcript. For researchers recording video of human subjects, such as interviews, when must these transcripts be prepared? The plain language of the proposed policy would seem to indicate that they must be created immediately. My own research generates gigabytes of plain text numerical data. What would I be required to do to make this data compliant? If that answer is not readily available, extremely time consuming or expensive, would it effectively prevent this kind of research from being carried out at ETSU?

Section 3
Again, there appears to be a failure to distinguish between business systems used by faculty and staff, and research computing. How could a researcher comply with federal agency data security requirements if the university reserves the right to monitor, review, and release any content for unspecified reasons? This would also appear make compliance with FERPA and HIPPA uncertain. Is that truly the intent?

Section 4
A plain reading of Sections 3 and 4 appear in conflict. ETSU retains the right to access, monitor, review and release any content, but will also respect privacy and confidentiality in accordance with applicable laws. Which section is the controlling section?

Section 5.1.3
This section makes sense if it were limited to ETSU computer lab, business systems and other shared standard resources, but fails to account for what makes research computing different. It does not include research in its list of acceptable purposes, and monopolization is going to happen for a research computer used by a single research group.

Section 5.1.7
An important question: Is supported and patched by whom? By ITS, by the vendor, by the open-source project. And what recency for patches? A subsystem may have a patch that has not yet been included in the larger open-source project. If the requirement is at the individual package level (which ITS has required in the past), it might result in a less secure system because the researcher is not an expert in the many possible configuration options for that package, while the vendor or larger project team would have that expertise.

Section 5.1.8
What requirements will be placed of researchers that use cloud services? For example, will I need to get approval to use AWS EC2, each individual EC2 instance, or when each individual EC2 instance is turned on. For those of us using ECS instances on an on-demand basis, these distinctions will be important.

Section 8
Who gets to decide and what procedures exist to ensure due process? This section describes the possible penalties, but does not include who decides if a violation has occurred, what appeal processes exist to restore access, and what ensures due process for the person accused of violating the policy. Cutting a student off from access to D2L would have immediate academic consequences. For all other forms of student misconduct, policies are required to have appeal and due process provisions clearly described. A statement that procedures and due process protections will be followed seems to be inadequate if it is unknown who makes the initial decision, who handles the appeal, and which due process protections apply.

Echoing some of Sharon McGee's questions regarding section 2.3

"Users must ensure that all digital materials created or distributed through University Information Technology Resources comply with applicable accessibility standards to support equal access for all members of the ETSU community."

Additionally, I am concerned about "all" in this policy since that would apply to things like: notes we create that are intended for our own use or with a limited, select group of peers; html; scripts; images/files shared in Slack, etc., etc.

If it can be, I suggest the policy be changed to state something like: "Users must ensure that all digital materials created or distributed through University Information Technology Resources intended for public consumption comply with applicable accessibility standards to support equal access for all members of the ETSU community." As I believe that adding "intended for public consumption" will meet the Public Content Accessibility policy (Click here to view) requirements without overburdening of creating digital content for our own use or internal communications.

I agree that digital materials provide to students, posted on course websites, or publicly available on the ETSU website should be fully accessible. The policy in section 2.3 seems to state that all files on university owned computers/OneDrive accounts need to meet accessibility standards even if they are not publicly available. Does this policy also apply to students, meaning any coursework they submit needs to be accessible? If so, who is responsible for enforcing that requirement? How will this policy apply to research data or other private files that aren’t in a format that can be made accessible?

Sections 5.1.5 and 5.1.7 don’t take into account that sometimes research equipment and instrumentation runs on old computers with legacy operating systems that are not compatible with up to date antivirus and other software. Because of hardware or software compatibility issues and/or lack of manufacturer support it is often not possible to update computers and operating systems without also replacing the instrumentation as well.

As the previous comment also states, there needs to be more detail/clarity on how this policy will apply to research computing. My own research cannot be done without using remote research computing environments, transferring research data to and from remote servers, and using non-commercial third-party software.

I support ITS's efforts to keep our data, systems, and networks safe from intrusion and malicious actors. 

David Golden has offered thoughtful comments below that merit consideration. I offer the following comments  as suggestions for further strengthening and clarifying the policy.

2.1. First sentence of the last paragraph of this section seems to have a word or two missing: “Users must not engage in conduct THAT(??) harms or interferes with others, including but not…”

2.3. Accessibility and Inclusivity. Users must ensure that all digital materials created or distributed through University Information Technology Resources comply with applicable accessibility standards to support equal access for all members of the ETSU community.

What exactly does this mean? Does this mean that every document I create and store on my university computer that will not be made public must meet accessibility requirements? This is a rather onerous requirement for draft documents, graphics, etc. I understand that any public disseminated material needs to meet federal accessibility requirements, but materials that are created but not disseminated warrant exclusion unless there is some caveat in the federal policy of which I am unaware. If that is the case, it would be worth noting in the policy what that is. 

3. University Rights. 

I understand that ITS must have the right to access and monitor Content on university owned devices and/or that utilize the university network. However, as written, this section seems to provide broad access. I do note that section 4.2. says “ETSU does not routinely monitor individual use without cause…” but section 3 could be interpreted with a broad lens. Front-loading the reasoning for access, which is to maintain network integrity, etc., provides clear guardrails at the start of the section. A suggested revision is:

“To maintain network integrity, protect Users, safeguard infrastructure from intrusions or malicious activity, investigate suspected misuse, address security threats or fulfill legitimate University business needs, ETSU reserves the right to monitor, review and release the Content and activity of any User Account for University business. The university may also access: …”

By the way, what does “release the Content” mean? Is this public release? Is this for law-enforcement, internal or state audits, etc.? It might be worth defining “release” and the scope of what it could entail so that the university community understands its breadth or limits.

4.4. The last paragraph is about FERPA. This is an important point and is buried in the middle of the policy. Consider moving that earlier in the policy, perhaps under its own heading.

COMMENT ON PROPOSED POLICY: ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES

Thank you to Information Technology Services and the Information Technology Council for preparing this proposed update to the Acceptable Use of Information Technology Resources Policy. Establishing clear expectations for responsible use of information technology is an important component of protecting University systems, safeguarding sensitive data, and ensuring the reliable operation of institutional infrastructure.

After reviewing the proposed policy, I offer several comments from the perspective of faculty use of University information technology resources, particularly as they relate to teaching, research, and the University’s principles of shared governance and academic freedom.

1. Explicit recognition of academic freedom and scholarly inquiry

The policy references academic freedom only briefly within a list of user responsibilities. Given the central role of academic freedom in the University’s mission, it may be beneficial for the policy to include an explicit statement clarifying that the acceptable use framework is not intended to limit lawful scholarly inquiry or teaching activities.

Faculty research often involves the use of specialized tools, data sources, and analytical methods that may appear unconventional from a purely administrative or operational information technology perspective. Explicit recognition that this policy will be interpreted in a manner consistent with academic freedom and legitimate research activity would help ensure that the policy supports the University’s academic mission.

Many universities include language such as:

“Nothing in this policy shall be interpreted to limit academic freedom, lawful research activities, or the open exchange of ideas consistent with the University’s teaching and research mission.”

2. Research computing environments

The policy generally treats information technology resources as a uniform administrative environment. However, many faculty members operate research computing environments that differ significantly from standard administrative systems.

Grant-funded research projects frequently involve specialized software, legacy applications, experimental code, external computing platforms, or discipline-specific infrastructure that may not always align with standard enterprise IT configurations.

For this reason, the policy may benefit from clarifying that research computing environments may operate under approved research security plans or project-specific requirements where appropriate. This would help ensure that security objectives are achieved without unintentionally constraining legitimate research activity.

3. Scope of authority for operational instructions

Section 2.2.3 states that Users must comply with all instructions from ITS staff, Facilities Staff, System Managers, Data Owners, and the Infrastructure Sponsor, including vacating workstations or releasing other resources when requested.

As written, this language may be interpreted as granting broad operational authority without clear limitations. Faculty governance bodies often look carefully at provisions that appear to place academic activities under the direct authority of administrative operational units.

It may be helpful to clarify that such instructions are limited to circumstances necessary to maintain system integrity, address security risks, perform maintenance, or protect University infrastructure. Narrowing the provision in this way would ensure that the policy supports operational needs while avoiding unintended implications for teaching or research activities.

4. Use of external research platforms and cloud services

Section 5.1.8 appropriately emphasizes protection of Sensitive University Data. However, faculty research increasingly relies on external computing platforms, discipline-specific repositories, and cloud services that are integral to modern scholarship.

The policy may benefit from clarifying that research environments may use approved external platforms where appropriate security and compliance reviews have been conducted. Explicitly recognizing research workflows would help avoid confusion regarding permissible uses of external infrastructure.

5. Privacy and confidentiality considerations

The policy states that users should have no expectation of privacy when using University computing resources. While it is appropriate to clarify that institutional systems may be subject to monitoring for operational and security purposes, faculty members often handle sensitive research communications, confidential peer review materials, and unpublished scholarly work.

A brief statement recognizing that the University respects privacy and confidentiality consistent with applicable laws, academic norms, and research protections would help provide balance to this section and reflect the professional context in which faculty use University systems.

6. Accessibility standards

The policy states that users must ensure that all digital materials created or distributed through University information technology resources comply with applicable accessibility standards. Faculty broadly support accessibility objectives, but the absolute language of this provision may create uncertainty regarding individual compliance obligations in complex instructional environments.

Many institutions phrase such provisions in terms of reasonable efforts or institutional support structures to ensure accessibility. Clarifying this language may help ensure the policy remains practical for faculty engaged in teaching activities.

Conclusion

The proposed policy provides a strong framework for promoting responsible use of University information technology resources and protecting institutional systems and data. The suggestions above are offered to help ensure that the policy also reflects the distinctive characteristics of the University’s academic environment, including research computing, teaching activities, and the principles of academic freedom and shared governance.

Incorporating these clarifications would help ensure that the policy supports both the operational integrity of the University’s information technology infrastructure and the core academic mission of teaching, research, and scholarly inquiry.

Respectfully submitted,

David A. Golden