University Administrative Policies

 

UNM_Policy_Office-L communicates important policy announcements (such as policy approvals, revisions, or campus review-and-comment periods).




UNM Policy Office

MSC05 3357
1 University of New Mexico
Albuquerque, NM 87131

Physical Location:
Scholes Hall
114 A and B

Phone: (505) 277-2069

Administrative Policies and Procedures Manual - Policy 2500: Acceptable Information and Information System Use

Date Originally Issued: 11-01-1991
Revised: 03-21-1997, 08-28-2000, 07-01-2011, 03-26-2015, 07-06-2020, 06-08-2023, 07-11-2024

Authorized by RPM 3.1 ("Responsibilities of the President")
Process Owner:  Chief Information Officer

1. General

As New Mexico’s flagship institution of higher learning, the University of New Mexico (UNM) encourages, supports, and protects freedom of expression as well as an open environment to pursue scholarly inquiry and to share information. Access to UNM information and UNM information systems (‘System/s’) supports the University community by providing access to electronic information through user accounts (‘Account/s’). University information and Systems, network resources, and Information Technology (IT) facilities are finite, valuable resources. Accounts that access these resources should be used with consideration for the needs of others, and impact of account user (‘User’) actions on University information and Systems. As with any resource, there is a possibility of misuse. To help prevent or mitigate such misuse, this policy outlines proper and improper behaviors, defines misuse and incidental use, explains User rights and responsibilities, and briefly reviews the repercussions of violating this policy. 

The University provides Accounts for authorized Users to access information and Systems on a need-to-know basis, to University employees, retirees, students, and specified collaborators of the University, and periodically to visitors and guests. Information and Systems are intended primarily for furthering the clinical care, education, research, and public service missions of the University and may not be used for commercial purposes or profit-making. This Policy is applicable to all Users of University-owned or controlled communications and network equipment, computers and servers, storage devices and media, as well as IT-related facilities, whether such persons are students, staff, faculty, or other users of University information and Systems. All University policies including, but not limited to, confidentiality, data governance, and information security; hostile work environment and sexual harassment, intellectual property protection, misuse of University equipment, and privacy shall apply to the access to information and use of Systems. 

1.1. System Use Policies and Procedures

University Information Technologies (UNM-IT), as well as individual departments within the University may define additional departmental policies and procedures for information and systems for which they are responsible. Departmental policies and procedures must be consistent with this policy but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax or subtract from this policy. Where departmental policies and procedures exist, the enforcement mechanisms defined within those policies and procedures shall have the force and effect of this policy. Individual departments are responsible for publicizing their policies and procedures concerning the authorized and appropriate use of the information and Systems for which they are responsible. In such cases, the Dean, Director, or Chair shall provide the appropriate vice president, Office of University Counsel (OUC), and the University Information Security and Privacy Officer (ISPO) with a copy of such policies and procedures prior to their implementation, and whenever materially updated.

1.2. Information Systems

For the purposes of this policy, information Systems include the following:

  • All University electronic and non-electronic information
  • All components of University Systems, including, but not limited to communication and networking devices and services, IT facilities and infrastructure, computer hardware and related peripherals, storage devices, and all commercial and non-commercial software, regardless of cost.

2. Rights and Responsibilities

Access to University Systems is a privilege. Users must use University information and Systems in an appropriate, ethical, and lawful manner that complies with all other applicable University policies. Unauthorized access is prohibited. Access may be monitored and reported to appropriate University personnel and/or law enforcement agencies.

The University reserves the right to limit a User’s access to information and Systems, to help ensure the availability, confidentiality, and integrity of information and Systems.

Aside from publicly accessible System, such as UNM’s public-access computers and guest wireless network, access to all University information and Systems must be authorized by the appropriate UNM Data Steward and Dean, Director, or designee and in accordance with the terms of UAP 2520 ("Accessing and Safeguarding Personally Identifiable and Controlled Information"). Working with UNM Data Guidelines are available to assist Users in working securely with UNM data.

2.1. User Responsibilities

Users are responsible for their activities using UNM information and Systems, and specifically are responsible for the use of their accounts and credentials, including but not limited to account names, Multi-Factor Authentication (MFA), passphrases, and Personal Identification Numbers (PINs). Users will respect and comply with the guidelines, policies, procedures, rules, and standards that govern the use of information and Systems at a UNM campus or UNM-designated location (UNM Worksite). Users must understand and keep up-to-date with this and all other applicable University information and System policies and procedures.

2.1.1. Information Security for Remote Work and for UNM Worksites

Employees subject to a remote work arrangement are responsible for the safety and security of all University-owned equipment, information and records, and materials at the alternate work location. This includes remaining compliant with UAP 2550 ("Information Security"), and maintaining information security and record confidentiality and integrity, as similarly required when working at any UNM Worksite. Incidents of theft should be immediately reported to Law Enforcement, and a police report of the theft provided to the employee’s manager.

Where possible, employees should not use non-UNM owned computers or mobile devices to conduct official UNM business. However, users working with UNM information from any computer or mobile device, whether UNM-owned or personally owned, located at a UNM Worksite or alternate work location, should comply with the guidelines within Working with UNM Data. Employees must contact their supervisor with specific questions about the security of information or Systems. Additionally, employees must report any suspected instances of loss, damage, or unauthorized access to UNM’s Information Security and Privacy Office (ispo.unm.edu) and to their supervisor as soon as possible.

Employees must ensure information is not disclosed in violation of FERPA, GLBA, HIPAA, or any other state or federal laws, regulations or ordinances, or UNM policies and procedures. All Users, and especially all employees are responsible for regularly reviewing University policies and guidelines for protecting information and Systems. 

Personally Identifiable Information (PII)/ Controlled Unclassified Information (CUI) and other highly-confidential or regulated information/ materials shall not be removed from any UNM System, UNM Worksite, or alternative work location unless approval is granted in advance by the supervisor, department chair/director, or appropriate UNM Data Steward. For Export Controlled information or Systems, approval by UNM’s Industrial Security Office is also required. The following policies address PII/ CUI, proper use of University information, processes, Systems and records:

Questions regarding the application of these guidelines, policies, procedures, standards, and, or what constitutes “highly confidential information/materials” may be addressed to any of the offices identified above.  

2.1.2. Copyrights and UNM Software Licenses

An IT Officer (ITO) or other UNM IT support staff should always be consulted when software purchase and installation is required on a UNM device, or when UNM-licensed software will be installed on a personal device that does not explicitly allow for personal use. Among other services provided, ITOs and other IT support staff help ensure that UNM maintains compliance with its software license agreements, including allowability for personal use when applicable, and that software does not create security issues with UNM information or Systems. Publicly available software may have additional restrictions for use in a higher education environment, and failure to adhere to specific software terms could result in unexpected costs, fines, and penalties. Additionally, the University maintains enterprise licensing agreements on certain software titles that are available to UNM community members at reduced or at no additional cost. Please be advised that in the event of a reported software license violation, unlicensed or improperly licensed software costs are the responsibility of the individual, unit, department, college or school to which those Systems are assigned.

For more information about specific software, or to submit a suggestion for new software to be made available to the UNM community, please contact the applicable ITO or other UNM IT support staff. For assistance identifying the applicable IT Officer, see “Get to know your IT Officer.”

2.1.3. Enterprise Software Licenses

The University enters into enterprise license agreements with software providers for campus-wide use of many software products. In addition, many software applications are available at an educational discount through LoboMart. Before buying or downloading software, departments should contact the appropriate IT Officer (ITO) or other UNM IT support staff to determine if the University has an enterprise license or purchase agreement for the software in question. This helps ensure that software, even free software, is allowed to be installed and used to conduct UNM business on UNM-owned equipment. This also helps to protect the privacy of UNM information by ensuring appropriate terms and conditions are in place to protect applicable UNM data. All users are responsible for adhering to University procurement policies and procedures.

2.1.4. Account and Information Security

Users of UNM Systems are responsible for keeping accounts, Multi-Factor Authentication (MFA), passphrases, and PINs, among other account security controls confidential, and are responsible for safeguarding all University information, especially information covered by state and federal regulations such as FERPA, GLBA, and HIPAA, regardless of how the information is accessed or where the information is stored.

Unless there is a legitimate University purpose, users shall keep all employee, patient, research subject, retiree, student, or other PII confidential (as defined by FERPA, GLBA, PCI, HIPAA, and any other applicable agreement, or federal or state regulation) and shall not transmit or request to receive such information without authorization from the appropriate UNM Data Steward. Such information must be kept in appropriate, authorized Systems. Examples of this type of information include, but are not limited to social security numbers, drivers’ license numbers, birth dates, passports, Protected Health Information (PHI) within the meaning of HIPAA, and insurance policy numbers. When in doubt, Users should contact the appropriate Data Steward or the University Information Security and Privacy Officer.

2.1.5. User Accounts

UNM-IT and departments that maintain IT Systems, provide Accounts to users for accessing University information and Systems. These Accounts and the credentials that go with them, are a means of uniquely identifying a user, and part of how information systems authenticate and authorize a user. Users should never share their account, passphrase, Multi-Factor Authentication (MFA), or Personal Identification Number (PIN). Please see UNM’s Account Security Standard for additional details.

2.1.5.1. Account Termination and Locking

When an individual leaves or substantially changes roles at the University, all access to information and Systems provided to Users must be removed as soon as reasonably possible.  Retirees may retain certain access to their account for allowable personal use, as identified in Technology Available to UNM Retirees. This access is subject to change.  If misuse or theft is detected or suspected, user account(s) will be locked according to the University’s procedures. 

2.1.6. Physical Security

Everyone is responsible for the proper use and physical protection of University information and Systems. Examples of physical protection measures include:

  • locking areas and setting alarms after business hours or at other times when not in use;
  • privacy screen film that helps prevent on-screen work from being viewed by others;
  • evaluating special precautions for high-value equipment;
  • ensuring documents with CUI/ PII are not left on desks or other workspaces, and locking up documents and systems when not in use; and
  • following University policies for taking computer equipment off campus. Refer to UAP 7730 ("Taking University Property Off Campus").
2.1.7. Information Security

Security of information and information systems is an essential responsibility both of system administrators and of system users. For details on the responsibilities of systems administrators and users, as well as responsibilities of Data Owners and Stewards, see UAP 2550 ("Information Security"), UAP 2520 ("Accessing and Safeguarding Personally Identifiable and Controlled Information"), and UAP 2580 ("Data Governance").

2.1.7.1 Protection against malicious and unauthorized software

All University systems must have software installed, running, and automatically updated where technically possible, to prevent malware, ransomware, viruses, and other unauthorized software.  For more information, please see this Endpoint Detection and Response (EDR) knowledge article, or open an IT Help ticket.

3. Unacceptable Computer Use

The University reserves the right to remove access to any information or Systems that are deemed in violation of University Policy, or that otherwise put UNM information and Systems at risk. The University reserves the right to sanction a user pursuant to Section 7. herein if it is determined, after an investigation by the appropriate office, that the user violated federal or state law, rules, or regulations, or University policy by misusing University information or Systems.  The University will disclose illegal or unauthorized activities to appropriate University personnel and/or law enforcement agencies.

3.1. Policy Violations

Users shall not:

  • share their account credentials (MFA, Passphrase, PIN, etc.) with others;
  • attempt to defeat or circumvent any security measure, control, or record-keeping system, nor attempt to access any account to which the user is not authorized;
  • use UNM Systems to gain unauthorized access to any other Information System;
  • intentionally alter, misappropriate, dismantle, disfigure, disable, or destroy any information or System;
  • knowingly distribute malicious or unauthorized software, such as malware (i.e., computer viruses, etc.).

3.2. Legal Violations

Users shall not use information or Systems:

  • for workplace violence of any kind as defined in UAP 2210 ("Campus Violence");
  • for unlawful purposes, including fraudulent, threatening, defamatory, harassing, or obscene communications;
  • to violate the privacy rights of anyone;
  • to access or disclose student records in violation of FERPA;
  • to access Systems without authorization;
  • to access or disclose financial information in violation of the (GLBA) or the University’s Information Security Program;
  • to access or disclose any non-public or PII about an employee, patient, research subject, or student without authorization and without having an authorized, legitimate University purpose;
  • to access, use, or disclose PHI within the meaning of HIPAA or any applicable state or federal law relating to the confidentiality of health information or mental health record about an employee, patient, or student without having authorization and a legitimate University purpose, or otherwise in violation of HIPAA and applicable University policies pertaining to HIPAA, and/ or State of New Mexico mental health statutes that protect the confidentiality of mental health records; or
  • to violate University policy, local, state, or federal law, including but not limited to copyright and other intellectual property laws.

3.3. Other Misuse

Users shall not use information or Systems:

  • in violation of any University contractual obligation, including limitations defined in software and other licensing agreements;
  • in a way that suggests University endorsement of any commercial product (unless a legal agreement exists and any communication or computing activity has been pre-approved by an appropriate vice president);
  • to conceal one’s identity, or masquerade or impersonate another, when using systems, except when anonymous access is explicitly authorized;
  • to possess or distribute obscene material unrelated to University clinical, instruction or research needs;
  • by physically or electronically installing any software or hardware to a System that negatively impacts the availability, confidentiality, or integrity of University Systems;
  • for prohibited political activities as defined in UAP 2060 ("Political Activity");
  • to send non-work or non-class related information to an individual who requests the information not be sent, or otherwise fail to comply with the Federal Trade Commission (FTC) CAN-SPAM Act Rule.

Users should understand that, due to their nature, electronic communications can be intentionally or unintentionally viewed by others or forwarded to others, and are therefore inherently not private. In addition, addressing errors, System malfunctions, and System management may result in communications being viewed and/or read by System administrators or other IT staff.

4. Incidental Personal Use

The University allows incidental personal use of Systems. Such use must not: interfere with employees fulfilling their job responsibilities, consume significant time or resources, interfere with other users' access to resources, be excessive as determined by management, or otherwise violate any federal or state laws, any individual college or departmental policies or codes of conduct, or other University policies. Each department that maintains Systems should document and communicate what use is acceptable. Personal files should not routinely be saved on UNM Systems and may be deleted in the event Systems need to be reimaged, or if an account is suspended.

5. Privacy Limitations

Users of University Systems, including managers, supervisors, and systems administrators shall respect and protect the privacy of others, in accordance with all applicable local, state and federal laws, regulations and University policies. UAP 2520 ("Accessing and Safeguarding Personally Identifiable and Controlled Information") defines the limited conditions under which access to information can be obtainedAlthough the University is committed to protecting individual and information privacy, the University cannot guarantee the security or privacy of information stored and transmitted through University Systems. Since confidential information in Systems may be displayed on screens, or printed on paper that could be temporarily in public view, or could otherwise be at risk, Users must control access by:

  • using unique passphrases and other factors to enforce secure authentication to access workstations and other Systems;
  • turning workstation screens away from public view and using privacy film on screens;
  • logging out of Systems when leaving the work area;
  • cross-cut shredding physical records containing PII or CUI prior to disposal; and
  • clearing PII or CUI off desks and workspaces and storing it securely.

While the University does not routinely monitor individual usage of Systems, the normal operation and maintenance of the Systems require the backup and storage of information, the logging of activities, the monitoring of general usage patterns, and other such activities as are necessary for the rendering of IT services. Similarly, the University does not, in the regular course of business, monitor the content of Systems and networks. However, suspicious aggregate behavior, official requests from authorities, digital forensic evaluation, or discovery for purposes of civil litigation, or indications of an information security incident, for example, can cause System activities to be reviewed. It is the right of the University to monitor and review any activities on its resources. It is a best practice, therefore, to presume that any and all actions taken or activities performed using University information and Systems are not completely private.

The University may also access and examine the Accounts and information, including but not limited to email, electronic files, storage devices, and third-party provided services, of a User under the following circumstances and conditions:

  • if necessary to comply with local, federal or state law; or
  • if appropriate vice president, designee, or other authorized investigative body (i.e., Internal Audit) determines there is reasonable suspicion that a law or University policy has been violated and the examination of the Account is needed in support of their fact finding with regard to the alleged violation; or
  • as part of an investigation involving a state or federal agency-related administrative claim or charge, arbitration or litigation; or
  • if required to preserve public health and safety.

Requests for access based on reasonable suspicion must be approved in writing, in advance, by the appropriate vice president or authorized investigative body. If access to a faculty member's account is being requested, the faculty’s supervisor, dean, director, or chair must be notified in conjunction with the request for approval. Each request must be well-defined, narrowly targeted, and specify the purpose of access, and such access will be limited to information related to the purpose for which access was granted. If such access is being requested for a vice president’s information, access must be approved by the President. If such access is being requested for the President’s records, access must be approved by the UNM Board of Regents. If such access is being requested for the Regents information, access must be approved by Internal Audit.

Accessing an employee’s computer files for work-related, non-investigatory purposes (i.e., to retrieve an email or file needed while the employee who maintains the email or file is away from the office) is permitted and only requires the written approval of the employee’s supervisor, as long as access is limited to the immediate work-related need.  When an employee separates from the University, all work-related files, including but not limited to research data, as well as all records made or kept in any University System, physical or electronic, remain the property of the University.

As with physical communications and other documents, electronic records are generally subject to New Mexico's Inspection of Public Records Act (IPRA). Therefore, all employees are urged to use the same discretion and good judgment in electronic communication and documents as they would use in creating paper documents.

6. Reporting Procedures

Suspected violations of this policy (e.g., any incidents involving the unauthorized access to, destruction of, or misuse of information or Systems by employees, students, or other Users) must be reported to the appropriate Dean, Director, or department head, and the ISPO. In the case of a suspected violation of civil or criminal law, the ISPO will notify UNM Police Department, UNM Internal Audit, and/ or Office of University Counsel (OUC), as appropriate. Suspected violations by non-employees will be referred to the appropriate authorities. UNM Internal Audit or The Office of Compliance, Ethics & Equal Opportunity (CEEO) should be contacted if assistance is needed to identify the appropriate authority.

7. Sanctions

The misuse, unauthorized access to, or destruction of University information or Systems in violation of applicable laws or University policy may result in sanctions, including but not limited to withdrawal of use privilege and accounts; disciplinary action up to and including expulsion from the University or discharge from a position; and legal prosecution. Loss of Account access may have very serious repercussions on employee’s and student’s ability to be successful in their roles and programs at UNM, even absent further sanctions.