Print Policies

As used in this policy:
a. "Information resources" are all computer and communication devices and other technologies which access, store or transmit University or student information.
b. "Information" includes both University and student information.
c. "Personally owned resources" are information resources that are under the control of University employees or agents and are not wholly owned by the University.

a. General Policy
Users of information resources must protect (i) their online identity from use by another individual, (ii) the integrity of information resources, and (iii) the privacy of electronic information. In addition, users must refrain from seeking to gain unauthorized access, honor all copyrights and licenses and respect the rights of other users of information resources.

b. Access
Users must refrain from seeking to gain unauthorized access to information resources or enabling unauthorized access. Attempts to gain unauthorized access to a system or to another person's information are a violation of University policy and may also violate applicable law, potentially subjecting the user to both civil and criminal liability. However, authorized system administrators may access information resources, but only for a legitimate operational purpose and only the minimum access required to accomplish this legitimate operational purpose.

(1) Prohibition against Sharing Identities
Sharing an online identity (user ID and password or other authenticator such as a token or certificate) violates University policy.
(2) Information Belonging to Others
Users must not intentionally seek or provide information on, obtain copies of, or modify data files, programs, passwords or other digital materials belonging to other users, without the specific permission of those other users.
(3) Abuse of Computing Privileges
Users of information resources must not access computers, computer software, computer data or information, or networks without proper authorization, or intentionally enable others to do so, regardless of whether the computer, software, data, information, or network in question is owned by the University. For example, abuse of the networks to which the University belongs or the computers at other sites connected to those networks will be treated as an abuse of University computing privileges.

c. Usage
The University is a non-profit, tax-exempt organization and, as such, is subject to specific federal, state and local laws regarding sources of income, political activities, use of property and similar matters. It also is a contractor with government and other entities and thus must assure proper use of property under its control and allocation of overhead and similar costs. Use of the University's information resources must comply with University policies and legal obligations (including licenses and contracts), and all federal and state laws.

(1) Prohibited Use
Users must not send, view or download fraudulent, harassing, obscene (i.e., pornographic), threatening, or other messages or material that are a violation of applicable law or University policy. In particular, contributing to the creation of a hostile academic or work environment is prohibited.
(2) Copyrights and Licenses
Users must not violate copyright law and must respect licenses to copyrighted materials. For the avoidance of doubt, unlawful file-sharing using the University's information resources is a violation of this policy.
(3) Social Media
Users must respect the purpose of and abide by the terms of use of online media forums, including social networking websites, mailing lists, chat rooms and blogs.
(4) Political Use
University information resources must not be used for partisan political activities where prohibited by federal, state or other applicable laws, and may be used for other political activities only when in compliance with federal, state and other laws and in compliance with applicable University policies.
(5) Personal Use
University information resources should not be used for activities unrelated to appropriate University functions, except in a purely incidental manner.
(6) Commercial Use
University information resources should not be used for commercial purposes, including advertisements, solicitations, promotions or other commercial messages, except as permitted under University policy. Any such permitted commercial use should be properly related to University activities, take into account proper cost allocations for government and other overhead determinations, and provide for appropriate reimbursement to the University for taxes and other costs the University may incur by reason of the commercial use. The University's Chief Financial Officer and Vice President for Business Affairs will determine permitted commercial uses.
(7) Use of University Information
Users must abide by applicable data storage and transmission policies, including Admin Guide 6.3.1 (Information Security). Consult the University Privacy Officer (privacyofficer@stanford.edu) for more information.

d. Personally Owned Resources
Stanford does not require personnel to use their personally owned resources to conduct University business. Individual units within the University may permit such use, and users may choose to use their own resources accordingly. Any personally owned resources used for University business are subject to this policy and must comply with all Stanford requirements pertaining to that type of resource and to the type of data involved. The resources must also comply with any additional requirements (including security controls for encryption, patching and backup) specific to the particular University functions for which they are used.

e. Integrity of Information Resources
Users must respect the integrity of information and information resources.

(1) Modification or Removal of Information or Information Resources
Unless they have proper authorization, users must not attempt to modify or remove information or information resources that are owned or used by others.
(2) Other Prohibited Activities
Users must not encroach, disrupt or otherwise interfere with access or use of the University's information or information resources. For the avoidance of doubt, without express permission, users must not give away University information or send bulk unsolicited email. In addition, users must not engage in other activities that damage, vandalize or otherwise compromise the integrity of University information or information resources.
(3) Academic Pursuits
The University recognizes the value of legitimate research projects undertaken by faculty and students under faculty supervision. The University may restrict such activities in order to protect University and individual information and information resources, but in doing so will take into account legitimate academic pursuits.

f. Locally Defined and External Conditions of Use
Individual units within the University may define "conditions of use" for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines restrictions, and/or enforcement mechanisms. Where such conditions of use exist, the individual units are responsible for publicizing and enforcing both the conditions of use and this policy. Where use of external networks is involved, policies governing such use also are applicable and must be followed.

g. Access for Legal and University Processes
Under some circumstances, as a result of investigations, subpoenas or lawsuits, the University may be required by law to provide electronic or other records, or information related to those records or relating to use of information resources, ("information records") to third parties. Additionally, the University may in its reasonable discretion review information records, e.g., for the proper functioning of the University, in connection with investigations or audits, or to protect the safety of individuals or the Stanford community. The University may also permit reasonable access to data to third-party service providers in order to provide, maintain or improve services to the University. Accordingly, users of University information resources do not have a reasonable expectation of privacy when using the University's information resources.

Responsibility for, and management and operation of, information resources is delegated to the head of a specific subdivision of the University governance structure ("department"), such as a Dean, Department Chair, Administrative Department head, or Principal Investigator ("lead"). This person will be responsible for compliance with all University policies relating to the use of information resources owned, used or otherwise residing in their department.

The lead may designate another person to manage and operate the system, but responsibility for information resources remains with the lead. This designate is the "system administrator."

The system administrator is responsible for managing and operating information resources under their oversight in compliance with University and department policies, including accessing information resources necessary to maintain operation of the systems under the care of the system administrator. (See also section 4.b; system administrators should defer to the Information Security Office for access beyond that necessary to maintain operation of the system.)

a. Responsibilities
The system administrator should:

• Take all appropriate actions to protect the security of information and information resources. Applicable guidelines are found at http://securecomputing.stanford.edu.
• Take precautions against theft of or damage to information resources.
• Faithfully execute all licensing agreements applicable to information resources.
• Communicate this policy, and other applicable information use, security and privacy policies and procedures to their information resource users.
• Cooperate with the Information Security Office to find and correct problems caused by the use of the system under their control.

b. Suspension of Privileges
System administrators may temporarily suspend access to information resources if they believe it is necessary or appropriate to maintain the integrity of the information resources under their oversight.

a. Reporting Violations
System users will report violations of this policy to the Information Security Office, and will immediately report defects in system accounting, concerns with system security, or suspected unlawful or improper system activities to the Information Security Office during normal business hours and the Office of the General Counsel emergency after-hours phone line at other times.

b. Accessing Information & Systems
Inspecting and monitoring information and information resources may be required for the purposes of enforcing this policy, conducting University investigations or audits, ensuring the safety of an individual or the University community, complying with law or ensuring proper operation of information resources. Only the University's Chief Information Security Officer (or designate) may authorize this inspection and monitoring.

c. Cooperation Expected
Information resource users are expected to cooperate with any investigation of policy abuse. Failure to cooperate may be grounds for cancellation of access privileges, or other disciplinary actions.

A user found to have violated this policy may also have violated the University Code of Conduct, the Fundamental Standard, the Student Honor Code, and/or other University policies, and will be subject to appropriate disciplinary action up to and including discharge, dismissal, expulsion, and/or legal action. The Chief Information Security Officer will refer violations to University units, i.e., Student Affairs for students, the supervisor for staff, and the Dean of the relevant School for faculty or other teaching or research personnel, if appropriate.

University's Chief Information Security Officer, or other person designated by the Vice President for Business Affairs and Chief Financial Officer, shall be the primary contact for the interpretation, monitoring and enforcement of this policy.

a. Student Discipline—See Student Life/Codes of Conduct/Fundamental Standard/Honor Code
b. Staff Discipline—See Guide Memo 2.1.16: Addressing Conduct & Performance Issues
c. Faculty Discipline—See the Statement on Faculty Discipline in the Faculty Handbook
d. Patents and Copyrights—See Research Policy Handbook 9.1 and 9.2; see also the Stanford University Copyright Reminder
e. Political Activities—See Guide Memo 1.5.1: Political Activities  
f. Ownership of Documents—See Research Policy Handbook 9.2 and Guide Memo 1.5.5: Ownership of Documents 
g. Incidental Personal Use—See Research Policy Handbook 4.1, and Guide Memo 1.5.2: Staff Policy on Conflict of Commitment and Interest
h. Security of Information—See Guide Memo 6.6.1: Information Security Incident Response
i. Privacy and Security of Health Information (HIPAA)—See Guide Memo 1.6.2: Privacy and Security of Health Information
j. Data Classification, Access and Transmittal and Storage Guidelines—See http://dataclass.stanford.edu.
k. Endpoint Compliance—See http://securecomputing.stanford.edu/endpoint_compliance.html

To ensure the security and integrity of both University data and data belonging to individuals, all owners of Stanford computer systems and networks must develop and implement access control policies. This Memo does not describe possible policies nor specify how to choose one; however, systems with non-public resources to protect should have policies that base access control on user identities.

Authentication is the secure identification of system users. The system owner is responsible for determining which authentication method to use among those that may be available for a particular system. However, system owners are strongly encouraged to rely on the authentication services provided by Stanford's central computing organization rather than using system-specific authentication methods. This service provides secure authentication and consistent campus-wide identification.

It is University policy that all University business for which computer-based forms and actions have been released will be done using those computer-based systems; paper forms are no longer accepted. This policy applies to all aspects of qualifying transactions, including initiation, routing, processing by Schools and VP Area offices, and transmission to and processing by central administrative offices. Secure identification of the participants in all such transactions is crucial to the successful conduct of University business. The centrally-supported authentication service described in this Memo is designed to support University business requirements.

a. Linked Identifiers
Stanford maintains a set of linked records identifying all employees, students, and others who use the University's computing resources. These records correlate SUNet ID, University ID, and Stanford Identification Card records.

b. Management of Identifiers
(1) Uniqueness. Each identifier (University ID or SUNet ID) is unique; that is, each identifier is associated with a single person or other entity.
(2) One Identifier per Individual.  An individual may have no more than one University ID number and one personal SUNet ID.
(3) Non-Reassignment. Once an identifier is assigned to a particular person it is always associated with that person. It is never subsequently reassigned to identify another person or entity. Alternative IDs (that is, alternative names registered along with a personal SUNet ID) may be reassigned after a waiting period.

a. Stanford University Network Identifiers
SUNet IDs consist of alphabetic characters and digits, and are chosen by their users. Personal SUNet IDs are from three to eight characters in length. Other SUNet IDs may be up to 256 characters in length.

b. Types of SUNet IDs

(1) University-eligible Personal SUNet IDs
a) Full (University-eligible) Personal SUNet IDs are available to:

• Authorized, registered students, as defined by the Registrar; and
• Regular faculty and staff, and emeritus faculty and staff, including SLAC staff, as defined in Guide Memo 2.2.2: Definitions.

(b) Base (University-eligible)
Personal SUNet IDs are available to:

• Temporary and casual faculty and staff, as defined in Guide Memo 2.2.2: Definitions.
• Recent alumni and current hospital staff.

(2) Sponsored Personal SUNet IDs are available to all others, subject to the following conditions:

• The ID is to be used by a specific, named individual requiring access to University computing resources in support of legitimate University work.
• The ID is sponsored by:
• Full, sponsored Personal SUNet IDs must be sponsored by a member of the University's regular faculty or staff possessing requisitions or financial signature authority.
• Base, sponsored Personal SUNet IDs may be sponsored by a member of the University's regular faculty or staff.
• The sponsor accepts responsibility for ensuring that the sponsored ID is used in support of work consistent with the University's mission of instruction, research, and public service, and in a manner consistent with the University's policies.

c. Establishing a SUNet ID
SUNet IDs are established and maintained via online procedures. Note that employees and students must have a University ID number in order to obtain a SUNet ID.

An eight-digit University identification number is automatically assigned to regular, continuing employees by the PeopleSoft HRMS system and to students by the PeopleSoft Student Administration system. This number appears on the printed Stanford Identification Card (see Guide Memo 2.4.3: Stanford Identification Cards).

IDs are available to identify other kinds of entities such as groups, departments, mailing lists, roles, computer-based services, etc. For more information, submit a HelpSU request or phone the Stanford IT Help Desk at 650-725-4357.

a. Authentication Methods
Authentication methods involve presenting both a public identifier (such as a user name or identification number) and private authentication information, such as a Personal Identification Number (PIN), password, or information derived from a cryptographic key. Authentication methods currently supported by Stanford's central computing organization include:

• Kerberos authentication, which uses SUNet IDs and passwords.

b. Eligibility for Authentication Entry
A user must be associated with an entry in the authentication service to be able to use most centrally-supported systems and services.

(1) University ID and Regular Personal SUNet ID
Eligibility for an entry in the authentication service begins when the individual accepts the offer of student registration or employment. Eligibility ends when a person's active association with the University ends; i.e., when an employee is no longer employed (and does not have emeritus status) or a student is no longer registered. In certain circumstances, a grace period may be allowed as a courtesy after eligibility ends.  See IT Services procedures. 
(2) Sponsored SUNet ID
A sponsored SUNet ID is sponsored for a specific period of time. The sponsor determines the length of sponsorship; sponsorship must be renewed to keep the ID valid. There is no grace period: the entry becomes invalid immediately at the end of the sponsorship period.
(3) Reactivation
An entry may be reactivated if the individual subsequently rejoins the University, either via regular association or sponsorship.
(4) Suspension
The use of an authentication entry may be revoked if it is used in a manner inconsistent with Stanford policies or if an individual is subject to other administrative action that denies them University privileges.

c. User Responsibilities
(1) Official Actions
Use of the authentication service to identify oneself to an on-line system constitutes an official identification of the user to the University, in the same way that presenting an ID Card does. Users can be held responsible for all actions taken during authenticated sessions.
(2) Integrity
Regardless of the authentication method used, users must use only the authentication information that they have been authorized to use; i.e., must never identify themselves falsely as another person or entity.
(3) Confidentiality
Regardless of the authentication method used, users must keep their authentication information confidential; i.e., must not knowingly or negligently make it available for use by an unauthorized person.
(4) Reporting Problems
Anyone suspecting that their authentication information has been compromised should contact the information security office at security@stanford.edu or by entering a HelpSU request or by phoning the Stanford IT Help Desk at 650-725-4357.
(5) Security Precautions
Users are strongly encouraged to change their password regularly (at least once every three months), to limit possible abuse of passwords that may have been compromised without the user's knowledge. Passwords should be chosen so that they are not easily guessable; e.g., not be based on the user's name or birth date.
(6) Disciplinary Action
Individuals who are found to have knowingly violated one of these provisions will be subject to disciplinary action. The possible disciplinary actions for violations, which can include termination of employment or student status, will depend on the facts and circumstances of each case.

Kerberos, a sophisticated cryptographic authentication system, is the preferred authentication method for use with centrally-supported systems and services at Stanford.

a. Identifiers
Stanford's Kerberos system uses personal SUNet IDs to name its entries for people. Other entities, such as network-based services, also have Kerberos entries.

b. Use
Each Kerberos entry is associated with a srvtab or keytab based on a password hash maintained by the user. Kerberos software, installed on end-user computers, allows users to authenticate to network services using their SUNet ID and password.

c. Changing a Password
Password changes may be made using standard Kerberos software or via IT Services. The Kerberos system checks proposed new passwords and rejects those that are likely to be easily guessable.

d. Reissuing Passwords
When a SUNet ID holder forgets the password associated with a Kerberos entry, or if it is compromised and no longer private, he or she should immediately try to reset it themselves at https://accounts.stanford.edu/ or contact the Stanford IT Help Desk at (650) 725-HELP [725-4357] for assistance in having a new password issued.

This section contains recommendations and requirements for systems and services that use local identification and authentication methods rather than the centrally-supported methods.

a. Use SUNet IDs
Systems should use personal SUNet IDs to identify their users. This will be less confusing for users, and will ease future transition to centrally-supported authentication.

b. Avoid Clear-Text Passwords
Systems may not transmit reusable passwords across the network unencrypted. Such passwords are vulnerable to capture and abuse.

c. Support Password Quality
Systems should check proposed passwords and reject those that are likely to be easily guessable.

a. SUNet IDs
(1) Cognizant Office
The office responsible for implementing policy on SUNet ID system is IT Services.
(2) Support
Support information is available at http://www.stanford.edu/services/sunetid or submit a HelpSU request or phone the Stanford IT Help Desk at (650) 725-4357.

b. Kerberos
(1) Cognizant Office
The office responsible for implementing policy on the Kerberos authentication system is IT Services.
(2) Support
Support information is available by submitting a HelpSU request or phone the Stanford IT Help Desk at (650) 725-4357.

c. University IDs
(1) Cognizant Office
The offices responsible for implementing policy on University IDs are Human Resources (for employees) and Registrar (for students).