Acceptable Use Policy

What is the Acceptable Use Policy (AUP)?

The Acceptable Use Policy (AUP) is a document created by the Information Security Office for outlining guidelines regarding university-owned technical computing resources. This newly-released policy has information on acceptable and unacceptable device usage, as well as guided information on UO compliance.

What is my role in the AUP?

The Acceptable Use Policy applies to every member of the University of Oregon. All controls from the AUP apply to you, regardless of the role you have at the University.

Where do I get support on the AUP?

Please refer to isrc@uoregon.edu for any questions or comments you may have about the Acceptable Use Policy.

Reason for Policy  

This policy establishes the acceptable, as well as unacceptable or unauthorized, use of University of Oregon Computing Resources by all Users, internal or external.  

Entities Affected by this Policy

All Users, internal or external, of University of Oregon Computing Resources.

Web Site Address for this Policy

[Provided by Office of the University Secretary after policy is posted online]

Responsible Office

For questions about this policy, please contact the Office of the Chief Information Security Officer, isrc@uoregon.edu.

Enactment & Revision History

12/10/2025 - Initial Publishing

Definitions

Artificial Intelligence (AI) refers to a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.

Data refers to raw, unprocessed text, facts or figures that lack context on their own. (In this document, data and information might be used interchangeably).

Data Availability refers to methods for ensuring that required data is always accessible when needed, in accordance with university retention policies.

Data Confidentiality refers to methods for ensuring that access to sensitive data is limited to authorized individuals.

Data Integrity refers to methods for ensuring that data is complete, accurate, consistent, and safeguarded from unauthorized modification.

Information is data that has been organized, interpreted, and given context to become meaningful and useful for decision-making; essentially, information is processed data that provides insights and understanding. (In this document, data and information might be used interchangeably).

Large Language Model (LLM) refers to powerful machine learning or Artificial Intelligence (AI) algorithms that can generate human-like text, understand natural language, trained on massive datasets of text and are designed to predict the next word in a sequence, allowing them to perform tasks like translation, summarization, and content generation.

University of Oregon (UO) Computing Resources means university-owned, licensed or managed data stored in any form (e.g., electronic, paper, or any other medium), hardware (e.g.,  central processing unit, computer memory and peripherals, file storage, Internet of things devices), software, network infrastructure, Internet Protocol (IP) addresses, email accounts, and domain names, regardless of location, whether on-premises, in the cloud or elsewhere.

University of Oregon (UO) Records means any record as defined in the university records management policy IV.10.01.

User (of UO Computing Resources) means any individual who attempts to access or has access to UO Computing Resources.

 

Policy

Purpose

In support of our commitment to exceptional teaching, discovery, and service, the University of Oregon (“UO”) provides access to its network, information, and other computing resources to the UO community and guests. These resources are provided to empower excellence in instruction, research, and service by facilitating academic inquiry, communication, sharing, collaboration, and effective administration and operations while protecting User safety and privacy, and supporting academic freedom in a secure and resilient environment. Maintaining this environment requires that members of the UO community, visitors, and guests respect the rights of other Users, use resources responsibly, and endeavor to defend our computing resources. The purpose of this policy is to establish acceptable behavior and promote efficient, ethical, and legal use of UO Computing Resources.

Scope

This policy applies to all Users of, and governs all use of, UO Computing Resources owned by or in the custody of the University of Oregon, including employees, students, contractors, partners, vendors, visiting scholars, and other campus visitors and guests.  This policy applies to technology whether administered in individual departments and divisions or by central administrative departments. It also applies to non-university devices, including personally owned computers and devices such as mobile computing devices (e.g., smartphones, tablets, laptops), which are connected by wire or wirelessly to the university’s network or systems, devices containing legally restricted university information (e.g., pictures, medical information, other protected information), and off-site systems that connect remotely to university network services.Access to UO Computing Resources must comply with this policy, all other applicable university policies, procedures, established practices, and state and federal laws.

Rights and Responsibilities

The university provides Users with access to scholarly and/or work-related technologies and tools, as well as access to computing resources, including but not limited to computer systems, servers, software and databases, to the campus telephone and voice mail systems, the library system, and to the Internet and cloud online services. Users have a reasonable expectation of unobstructed use of these resources available to them, of certain degrees of privacy (which may vary depending on whether the User is a university employee or a prospective or enrolled student), and of protection from abuse and intrusion by others sharing these resources. Users can expect the right to access information and to express their opinion to be protected as it is for paper and other forms of non-electronic communication.Conversely, Users are responsible for knowing the regulations and policies of the university that apply to appropriate and acceptable use of the UO Computing Resources. Users are responsible for exercising good judgment in the use of the university's technological and information resources.  By using UO computing resources, and/or accepting any UO-issued computing accounts, the User agrees to comply with this and all other computing and information security-related policies. Users have the responsibility to keep up to date on changes in the computing environment, as published, using UO electronic and print publication mechanisms, and to adapt to those changes as necessary.

Principles

The requirements for acceptable use of UO Computing Resources outlined in this policy are guided by the following general principles:

  1. UO Computing Resources are intended to enable the university's research, instructional, administrative, and service-related functions. Uses within and beyond these functions must comply with existing university policies and procedures as well as state and federal law.
  2. UO Computing Resources are to be used and supported to ensure data confidentiality, integrity, and availability.
  3. Each User is expected to comply with UO Information Security policies and standards, and take necessary precautions as outlined in UO Information Security policies, standards, and guidelines to safeguard UO Computing Resources and to report policy violations or suspected security incidents.
  4. Each User is expected to use UO Computing Resources responsibly and to be considerate of other Users of shared resources.
  5. Subject to law and applicable policy, authorized university personnel with a demonstrably legitimate need may access an individual’s specific UO Computing Resources to fulfill their official professional responsibilities (e.g., conducting security incident investigations by IT staff). See “Access and Review” below.

Expectations for Appropriate Use

The following statements are examples that illustrate expectations for acceptable use of UO Computing Resources based on the principles outlined above. They are not meant to be an exhaustive list of all possible expectations that govern the use of UO Computing Resources. The Information Security Office maintains a Catalog of Appropriate and Acceptable Use of Computing Resources findings pertinent to the Acceptable Use Policy. Users are responsible for reviewing the catalog for current findings.

  1. Use UO Computing Resources to perform activities that support the research, instruction, service, administration, and other goals of the university. Incidental personal use is permitted but is required to comply with university policies and standards, meet legal requirements, and not interfere with or disrupt university operations.
  2. Safeguard UO Computing Resources in accordance with policies, standards, and guidelines established by the university. As a User of UO Computing Resources, Users may be provided with computer access accounts, computing devices, access to the network, email accounts and other resources. Protect all personally identifiable information (PII), protected health information (PHI) and other sensitive data in accordance with applicable data privacy regulations (e.g., UO Privacy Policy, FERPA, HIPAA, GDPR, Oregon Consumer Privacy Act, California Privacy Rights Act). Users must take steps to increase their knowledge through UO security awareness training and follow UO policies, standards, and guidelines to properly safeguard these resources.
  3. Use UO Computing Resources after proper authorization has been granted. Generally, access is granted to UO Users based on two security principles: 1) least privilege, where the minimum privilege required to carry out approved activities is assigned to each User; 2) least functionality, where UO Computing Resources are configured to provide Users with the minimum functionality required to carry out their duties.
  4. Use UO Computing Resources in a responsible and efficient manner. UO Computing Resources (e.g., network bandwidth, storage, email system, and computer processing power) are finite and usually shared among our constituents. Therefore, Users are expected to use resources in a manner that minimizes impacts on other Users.
  5. Respect the privacy, intellectual property, copyrights and other rights of other UO Computing Resource Users. Academic inquiry, communication, sharing and collaboration, IT management and support, and information security must be balanced with privacy and other rights of UO constituents and must not improperly or illegally infringe on the intellectual property rights of others.
  6. Use UO Computing Resources in accordance with policies, standards, and guidelines established by the university such as the Conflict of Interest, Conflict of Commitment, and Outside Activities policy, and in accordance with bargaining agreements, state and federal laws, and contractual agreements. As a User of UO Computing Resources, Users may be provided with computer access accounts, computing devices, access to the network, email accounts and other resources. Users must take steps to increase their knowledge through UO security awareness training and follow UO policies, standards and guidelines to properly safeguard these resources.
  7. Use and protect UO Computing Resources assigned to you. As part of their affiliation with the university, Users may be assigned IT resources (e.g., computer access account, email account, network port, computers, office phone, peripherals, and mobile devices). Users are expected to bear responsibility for and may be held accountable for actions carried out with those resources.
  8. Include only material relevant to organizational matters in UO or departmental electronic communications, such as email, websites, or blogs. Personal websites, chat rooms, web logs (also known as blogs), video logs (also known as vlogs), and other forms of publicly available electronic communications hosted on or linked from UO computing resources and technology must comply with this Acceptable Use Policy and prominently include the following disclaimer: “The views, opinions and material expressed here are those of the author and have not been reviewed or approved by the University of Oregon.”  
  9. Use only legal versions of copyrighted software in compliance with vendor license requirements. Abide by all applicable copyright laws and licenses. The University of Oregon has entered into legal agreements or contracts for many of its software and network resources which require everyone using them to comply with those agreements.
  10. Maintain university data and records within authorized information systems of record and in compliance with appropriate records retention policies. The university cannot guarantee appropriate safeguards for data or information hosted in information systems that have not been approved. Consequently, Users are expected to maintain university data and records within information systems that have been vetted and approved by the university. For example, use of unapproved third-party email systems, storage solutions or applications must be vetted and approved by the Information Security Office before such systems can be used to access, process or store University Records and data (e.g., follow guidelines on where to store UO data).

Examples of Inappropriate Use or Misuse

The following are examples of inappropriate use or misuse of UO Computing Resources. This list is meant to illustrate common misuse and is not intended to be an exhaustive list. Some activities will not be considered inappropriate use or misuse when authorized by appropriate UO officials (e.g., when testing effectiveness and performance of security safeguards or when performing one’s duties). The Information Security Office maintains a Catalog of Inappropriate and Unacceptable Use of Computing Resources findings pertinent to the Acceptable Use Policy. Users are responsible for reviewing the catalog for current findings.

  1. Searching for and attempting to circumvent or exploit information system security flaws in UO Computing Resources without the express permission of the Information Security Office (e.g., using tools such as vulnerability scanners, penetration testing, password crackers, packet sniffers, social engineering techniques such as phishing, or other hacking tools).
  2. Performing intentional and/or malicious excessive use of UO Computing Resources that substantially interferes with the university's mission.
  3. Sharing your personal, or individual non-person, account access credentials such as passwords or tokens with another person, including but not limited to your IT support staff, Information Security Office staff, supervisors, your staff, family or friends.  
  4. Storing or processing UO data in information systems that do not comply with university security policies, standards, and controls or that violate applicable regulatory requirements.  
  5. Attempting to impersonate, intercept, alter, or monitor another User’s communications or files without their permission or an approved business need.
  6. Taking deliberate actions that significantly disrupt university operations, violate confidentiality agreements, or significantly increase the risk of causing a security incident.
  7. Attempting to locate data on UO Computing Resources for which the User does not possess a justifiable business reason for attempting access. Technical ability to access data does not automatically confer authorization to access said data without a valid business justification. Attempts to access data may include, but are not limited to, the following:
    1. Navigating accessible SharePoint sites and file shares.
    2. Searching SharePoint sites.
    3. Searching messaging tools (e.g., Slack or Teams) for data.
    4. Using AI assistants (e.g., Microsoft Copilot) to locate data.
    5. Querying databases and other structured/semi-structured data stores for data.
  8. Using email, social networking sites or tools, text messaging (SMS, video, picture, audio or other media messaging provided via mobile phone) or other messaging services in any inappropriate manner including, but not limited to, usage:
    1. In violation of laws or regulations.
    2. To harass or intimidate another person.
    3. To display sensitive information covered under security and privacy policies and standards.
  9. Using UO Computing Resources to gain unauthorized access to, or in any way compromise the security of, any UO or non-UO person, computer systems or services.
  10. Using UO Computing Resources to violate UO policies, standards and guidelines, state and federal laws, and contractual agreements.

Enforcement

This policy has the force of law pursuant to ORS 352.087. A university employee who fails to comply with this policy and its associated procedures may be subject to discipline, up to and including termination. Discipline will be imposed consistent with applicable university policies and/or applicable collective bargaining agreements. A student who fails to comply with this policy and its associated procedures may be referred to the Office of Student Conduct and Community Standards for educational intervention and subject to action and/or sanction as outlined by the Student Conduct Code. Contractors, partners, vendors, visiting scholars, and other campus visitors and guests in violation of this policy and its associated procedures might have their access to UO Computing Resources modified, suspended, or terminated depending on the violation. In some cases, violations of this policy may also constitute violations of state and federal laws and include associated consequences.Unintended minor violations or accidental infractions will typically result in warnings, notifications, or recommendations for awareness training. In addition, students involved in unintended minor violations or accidental infractions may be referred to the Office of Student Conduct and Community Standards for educational intervention.Instances where network and other hardware devices, computer systems, applications, data or information, access accounts or other components are found to be in violation of UO policies, standards, or procedures, defensive actions may be taken by authorized UO staff such as the Information Security Office to safeguard UO Computing Resources and protect other Users. Examples of defensive actions may include removal or blocking of applications, websites, or devices from the network, disabling access accounts, or other measures as appropriate to mitigate the specific risk.

Access and Review

Because the university owns, controls, and has a custodial relationship with its Computing Resources, it reserves the right to monitor usage of those resources to ensure their security, availability, efficiency, and effectiveness. This access and review will be consistent with state and federal law, collective bargaining agreements and with other university policies and procedures. A non-exhaustive list of examples of specific circumstances under which monitoring and/or access can be carried out, by authorized personnel, includes:

  • to investigate potential violations of UO policy, standards, guidelines, or state, federal laws or contractual agreements
  • to comply with legal requests, including public records laws and subpoenas
  • to perform authorized security functions including audits, risk identification, incident prevention, threat and vulnerability monitoring, misuse investigation, incident response or patch management
  • to access information in case of emergencies to protect the health and safety of individuals and safeguard university-owned or controlled assets, if deemed necessary by authorized personnel
  • to perform administration of UO Computing Resources in accordance with UO policies, standards and procedures or generally accepted industry best practices.
  • to access electronic records to ensure the continuous operation of university business and mission.

Reporting Misuse

Suspected misuse of UO Computing Resources, or violations of this policy and underlying standards and procedures must be reported to the UO Information Security Office by emailing infosec@uoregon.edu or by calling (541) 346-5837. Alternately, suspected misuse can be reported to the Office of Internal Audit (OIA) either directly (541-346-3200) or through the anonymous and confidential Fraud & Ethics Hotline available from the OIA intranet page.

Exception

In a limited number of instances, exceptions to parts of this policy may be granted. In these cases, an exception request should be submitted to the Information Security Office, outlining justification for the request. The exception request procedure and request form are outlined in Information Security Standard Exception Request.

Learn More

Information Security Program Policy

Information Asset Classification & Management Policy

Data Security Incident Response Policy

Related Resources

Quick Links