Responsible Use of Computing Policy
The Responsible Use of Computing Policy applies to all academic and operational
departments and offices at all university locations, owned and leased. The policies
and procedures provided herein apply to all university faculty, staff, students,
visitors, and contractors.
The university provides and maintains computing and telecommunications technologies
to support the education, research, and work of its faculty, staff, and students.
To preserve the security, availability, and integrity of George Mason computing
resources, and to protect all users' rights to an open exchange of ideas and information,
this policy sets forth the responsibilities of each member of the George Mason
community in the use of these resources. To accomplish these ends, this policy
supports investigations of complaints involving George Mason computing abuse,
including sexual harassment, and honor code and federal or state law violations.
A user of George Mason's computing resources should be aware that violations
of this policy may result in revocation of access, suspension of accounts, disciplinary
action, or prosecution, and that evidence of illegal activity will be turned over
to the appropriate authorities. It is your responsibility to read and follow this
policy and all applicable laws and procedures. If you observe someone violating
this policy or another university policy, using George Mason computing resources,
you can report it by e-mail to the Security Review Panel (SRP) at firstname.lastname@example.org.
Many local computing systems have similar e-mail reporting addresses.
III. Rules of Use
Access to George Mason computing resources is a privilege granted on a presumption
that every member of the university community will exercise it responsibly. Because
it is impossible to anticipate all the ways in which individuals can damage, interrupt,
or misuse computing facilities, this policy focuses on a few simple rules. These
rules describe actions that you should avoid and the principles behind them. Each
rule is followed by a (not exhaustive) list of examples of actions that would
violate the rule.
Rule 1: Use George Mason computing resources consistently
with the stated priorities.
These priorities are set on the use of George Mason computing resources:
High: All educational, research, and administrative purposes
of the university.
Low: Other uses indirectly related to university purposes
that have an educational or research benefit, including news reading, web browsing,
chat sessions, and personal communications.
Forbidden: Selling access to George Mason computing resources;
engaging in commercial activity not sanctioned by the Provost's Office; intentionally
denying or interfering with any network resources, including spamming, jamming,
and crashing any computer; using or accessing any George Mason computing resource,
or reading or modifying files, without proper authorization; using the technology
to in any way misrepresent or impersonate someone else; sending chain letters;
violating federal or state law, or university policy.
Note: Employees and contractors of the Commonwealth of Virginia may not use
George Mason computing resources for recreation or entertainment.
The low-priority uses of George Mason computing should be avoided during the
times of peak demand, typically the mid-afternoon to late evening hours. During
peak periods, other users may be prevented from doing their high-priority work
if you are doing something of low priority. Those users are likely to complain
to you or to the SRP if they observe you interfering with their work. Certain
activities, such as broadcasting e-mail to very large distributions, will consume
large amounts of resources; avoid them.
Rule 2: Don't allow anyone to use your account for
Your account username identifies you to the entire international Internet user
community. Another person using your account, whether or not you have given permission,
will be acting in your name. You may be held responsible for that person's actions
in your account. If that person violates any policies, his or her actions will
be traced back to your username and you may be held responsible. The easiest way
to protect yourself is to protect your password. If you have a legitimate reason
to give someone access, keep it strictly temporary, and change your password after
that person finishes using your account. Definitely do not give your password
to anyone you do not trust. If someone else offers you use of an account that
you are not authorized to use, decline. If you discover someone's password, don't
use it; report the access of the password to the owner or to email@example.com.
Rule 3: Honor the privacy of other users.
The university respects the desire for privacy, and voluntarily chooses to
refrain from inspecting users' files, except in certain well-defined cases (described
below in Section V). System administrators who carry out standard administrative
practices, e.g., backing up files, cleaning up trash or temporary files, or searching
for rogue programs, do not violate privacy. Examples of privacy violations are
given below to assist you to avoid violating the privacy of other users:
- Don't access the contents of files of another user without explicit authorization
from that user. Typically, authorization is signaled by the other user setting
file access permissions to allow public or group reading of files. Since some
systems by default make all files readable to all users and some users don't know
this, the file permissions are not reliable. It is always best to ask.
- Don't intercept or monitor any network communications not explicitly meant
- Don't use the systems to transmit personal or private information about individuals
unless you have explicit authorization from the individuals affected. Don't distribute
such information unless you have permission from those individuals.
- Don't create programs that secretly collect information about users. Software
on George Mason computing resources is subject to the same guidelines for protecting
privacy as any other information-gathering project at the university. You may
not use George Mason computing resources to collect information about individual
users without their consent. Note that most systems keep audit trails and usage
logs (e.g., for ftp, netscape, and login); these are not secret and are considered
normal parts of system administration.
Rule 4: Don't impersonate any other person.
Using George Mason computing resources to impersonate someone else is wrong.
If you use someone else's account without permission, you may be committing acts
of fraud because the account owner's name will be attached to the transactions
you have performed. If, while using someone else's account, you communicate with
others, you should clearly identify yourself as doing so.
If you send anonymous mail or postings, you should realize that it is normal
etiquette to identify that your message is anonymous or is signed by pseudonym.
Because policy violators often use anonymous communication to hide their identities,
many people give less credence to anonymous communication than to signed communication.
System administrators who receive anonymous complaints, and cannot locate the
sender for additional information or clarification may be unable to assist the
sender or provide witnesses to support claims of illegal activity.
Rule 5: Don't use George Mason computing resources
to violate other policies or laws.
Don't use George Mason computing resources to commit violations of federal
or state laws, or other university policies. Examples are given below to assist
you to avoid inadvertent violations. This list is not comprehensive. In case of
doubt, contact the Security Review Panel or send e-mail to firstname.lastname@example.org.
- Don't violate copyright laws and licenses. Many programs and their documentation
are owned by individual users or third parties, and are protected by copyright
and other laws, licenses, and contractual agreements. You must abide by these
restrictions; to do otherwise may be illegal.
- Don't use George Mason computing resources to violate harassment laws or policies.
Various types of harassment, including sexual or racial, are proscribed by university
- Don't use George Mason computing resources to violate the Honor Code.
- Don't use George Mason computing resources to attack computers, accounts,
or other users by launching viruses, worms, Trojan horses, or other attacks on
computers here or elsewhere.
- Don't use George Mason computing resources to harass or threaten others.
- Don't use George Mason computing resources to transmit fraudulent messages.
- Don't use George Mason computing resources to transmit, store, display, download,
print, or intentionally receive obscene material, or to distribute pornographic
material to minors.
All users of George Mason computing resources are subject to all federal and
state obscenity laws.
IV. Schools, Institutes, Centers, and Departments
George Mason organizational units operate computers and networks to support
their missions. The principles of this policy apply to all university organizational
units, and any computers owned or operated by the university. Units may set additional
local policies and expectations that are consistent with this policy. For example,
local units may stipulate that material displayed for public access from their
sites should be consistent with their public image and mission. They may set guidelines
for format and content of material in home pages, ftp directories, listservs,
netlibs, info servers, and the like, and may appoint an editor or moderator for
such material. They may prioritize and prohibit types of use in order to efficiently
manage their computing resources.
V. Electronic Information Environment
Your personal e-mail, electronic files maintained on university equipment,
and personal web pages are part of a unique electronic information environment.
This environment creates unique privacy issues that involve federal and state
laws as well as university policies. This section provides a starting point in
your considerations on how to use this electronic information environment.
E-mail is not secure. It is easily forwarded to a multitude of recipients and
may be altered. Intruders to the network may be able to bypass your password protection.
Your e-mail may also be accessible under freedom of information laws, and backup
computer tapes may contain deleted e-mail for over a year. Mail undelivered for
any reason may be copied to the mailbox of a postmaster on the sender or recipient
computers. For all of these reasons and others, your expectations of privacy concerning
your e-mail and electronic files should take these realities into account.
Most systems have public directories for temporary files. Examples are print
spoolers, system-wide web caches, and scratch areas used by document editors.
The temporary files stored in these directories are usually restricted to being
readable only by the owner. To protect privacy and prevent these directories from
overflowing, system administrators empty them regularly. You should never count
on these files surviving after you log out.
No user may intentionally read personal files, including those storing e-mail,
without the owner's consent. In the event of a lawful investigation of misconduct,
law enforcement officials and university officials involved in the investigation
may inspect user files and communications. In such a case, the chair of the Security
Review Panel (SRP) should be notified immediately, preferably before the inspection
occurs. Users whose files have been inspected will normally be notified within
14 days by e-mail or other appropriate means.
The university reserves the right, to the fullest extent permitted by law,
to inspect user files and communications for the purposes of investigating allegations
of illegal activity or violations of university policies, or to protect the integrity
and safety of network systems.
VI. Web Pages
The university's official web pages (www.gmu.edu)
contain public information about the university's offerings, programs, and promises
to students and the public. These pages project the public identity of the university
and are its first electronic point of contact with the general public, students,
parents, and employers. The university exercises editorial control over the content
of its official web pages.
The university is not responsible for information, including photographic images,
published on or accessible through personal web pages, including personal home
pages. Personal web pages, created and maintained by employees, students, or university-recognized
student groups, are the sole responsibility of the person or student group identified
by the account. The university does not monitor the contents of these personal
web pages. The individual creating or maintaining personal web pages may be held
criminally or civilly liable for the materials posted on the web site. For example,
an individual who posts obscene material may be subject to criminal prosecution,
and an individual who posts copyrighted material might be liable to the owner
of the copyrighted material under copyright law.
Personal web pages contain the personal expression of their creators. The contents,
including link identifiers, of these pages include academic subjects, hobbies,
religion, art, and politics, as well as materials that some viewers may find offensive.
Neither the contents nor the link identifiers are reviewed or endorsed by the
university. If you feel you might be offended by material following a link identifier
or material on the page itself, you should not continue.
The university will investigate all complaints involving personal web pages,
and will remove or block material or links to material that violate federal or
state law or university policy.
VII. System Administrators (SAs)
The SAs of various computers on George Mason campuses have special responsibilities.
They have been granted extraordinary powers to override or alter access controls,
configurations, and passwords, which they should exercise with great care and
integrity. SAs manage computers and administer policies, but they do not create
policies. Their actions are constrained by this policy and by the policies of
local administrative units.
A set of guidelines and standards for all SAs is created and maintained by
the SRP. These guidelines will address job descriptions, integrity issues, and
standard system administration actions that do not violate privacy. Managers of
university units who employ SAs are responsible for ensuring that the SAs comply
with and enforce the requirements of this policy and local policy in the systems
for which they are responsible. SAs who violate this policy or any local policy,
or who misuse their powers, are subject to disciplinary action.
If a SA observes someone engaging in activities that would seriously compromise
the security or integrity of a system or network, e.g., intrusions, break-ins,
unauthorized service or access denials, or Trojan horses, the SA may take immediate
action to stop the threat or minimize the damage. This may include termination
of processes, scanning for rogue programs, disconnection from a network, protection
and holding of evidence for an investigation, or temporary suspension of an account.
Account suspensions must be reported immediately to the SRP. SAs who observe suspected
violations of law should immediately alert the University Police.
Should a valid complaint be filed against an SA, the SRP will determine if
the SA's action could have been accomplished only by someone with the extraordinary
powers of an SA. If not, the SRP will follow the "stopit" procedure
to request that the SA refrain from the action in the future; if so, the SRP will
forward the latter to the SA's supervisor for appropriate action.
VIII. Security Review Panel (SRP)
This policy establishes a SRP that is responsible for reviewing SA's decisions,
responding to complaints, and periodically reviewing this policy. The SRP consists
of three faculty members, one graduate student, one undergraduate student, one
Information Technology Unit (ITU) staff member, and one non-ITU system administrator
(SA). The SRP members are appointed by the vice president for information technology
and services for a term not to exceed two academic years. The SRP chair will be
one of the faculty members and will be appointed by the vice president for information
technology and services.
SAs will report all violations and their responses to the SRP immediately.
Any member of the community can report a violation to the SRP via the stopit mechanism.
Upon receipt of a complaint from a user or a SA, the SRP chair will assign one
of the members as the case worker for that complaint. The three-step stopit process
within which the SRP operates is described below in Part IX.
The SRP is authorized to create subgroups to assist in its mission. An example
is a George Mason Emergency Response Team, which coordinates responses to abuses,
provides technical assistance on security matters to SAs, and issues security
The SRP is also responsible for periodically reviewing these policies and recommending
improvements and clarifications as needed. All modifications to the policies will
be made after full public disclosure and a reasonable period for public comment.
IX. The Stopit Process
The process described here, called "stopit" after a similar process
at Massachusetts Institute of Technology, uses a graduated approach to handle
violations of this policy. The approach is based on two premises: The vast majority
of users are responsible; and most offenders, given the opportunity to stop uncivil
or disruptive behavior without having to admit guilt, will do so and will not
repeat the offense.
This policy distinguishes between incidents that pose no immediate dangers
to persons or to system integrity, and incidents that do. The three-step "stopit"
process described below is designed for cases in which there are no immediate
Incidents posing immediate dangers to persons or systems require immediate
action. These include active system break-ins or intrusions, denials of service,
and fraud or criminal activity conducted using Masonet resources. In these cases,
the responsible SA may take reasonable actions to deal with the threat, such as
temporarily disconnecting the system from the network, temporarily suspending
accounts, and calling law enforcement officers. The SA taking such actions will
notify his or her supervisor and the SRP chair as soon as practicable.
The "stopit" process rests on two foundations:
Wide Distribution of Policy Information
Notices describing the essence of this policy will be displayed in computer
labs on George Mason premises; the same information will be given to new users
and to each user annually. New users will be asked to sign their agreement to
this policy as a condition of activating their accounts.
Standard Reporting Mechanism
The "stopit" e-mail address (email@example.com)
is monitored regularly by SRP members, who will respond promptly to complaints.
Anyone observing harmful or disruptive behavior should report it to the stopit
e-mail address or to University Police. The SRP member who responds to a complaint
will normally forward it to the SA of the system on which the infraction apparently
occurred. That SA will investigate the complaint, determine its validity, and
take appropriate actions such as sending the first warning (see below).
The steps of the process are as follows:
STOPIT 1: First Warning
The SRP member handling a case (or SA, if the case is delegated) will send
a warning letter to the alleged perpetrators of improper use of George Mason computing
resources, harassment, or other uncivil behavior. The letter will have this form:
"Someone using your account did [whatever the offense is]." This
is followed by an explanation of which policy this behavior violates and why it
is a violation. "Account holders are responsible for the use of their accounts.
If you were unaware that your account was being used in this way, it may have
been compromised. Your system administrator can help you change your password
and re-secure your account. If you are aware, then please make sure that this
does not happen again."
This warning ensures that the alleged perpetrators are aware that a policy
violation may have occurred and that there was a complaint. It offers them a chance
to desist without having to admit guilt and a chance to secure their account against
STOPIT 2: Second Warning
If there is a second offense from an account that received a first-warning
letter, the cognizant SRP member will issue a second warning and may require that
the account holder come to a mandatory interview. The SRP chair can authorize
the temporary suspension of access to the user's account if the individual fails
to arrange for a mandatory interview. The user can request a hearing before the
STOPIT 3: Disciplinary Procedures
If the previous "stopit" stages do not convince the perpetrators
to desist, the matter will be turned over to the appropriate university authority
designated for that type of offense. The SRP will make available all information
and evidence it has on the case to that authority.
If it appears from the evidence that any federal or state laws may have been
violated, the SRP may suspend the account pending the outcome of the university's
or law enforcement authorities' investigation.
X. Amendments and Additions
All amendments and additions to this policy are to be reviewed and approved
by the Office of the Provost and the Office of the Senior Vice President.
XI. Effective Date
The policies herein are effective October 20, 1997. This administrative policy
shall be reviewed annually and revised, if necessary, and becomes effective at
the beginning of the university's fiscal year, unless otherwise noted.
Any updates or additions to this information are on the web site www.gmu.edu/srp
and take precedence over any printed matter.