Information Security Awareness - Students

A Handbook for Students

The University of Virginia has a highly complex and resource-rich information technology environment upon which there is increasing reliance to provide mission-critical teaching, research, public service, and healthcare functions. Users of the University's IT resources are responsible for using these resources responsibly in support of these functions, and for respecting the rights of others. The University is strongly committed to maintaining the privacy and security of confidential personal information and other data it collects. It expects all those who store such information to treat these data with the utmost care in order to protect the privacy and legal rights of the University community.

Use of these resources is governed not only by the University's own policies, Standards of Conduct and Honor System, but also by local, state, and federal laws. It is important that you read and understand the information within this handbook regarding responsible use of the information technology resources at UVA. Irresponsible behavior can jeopardize not only your access privileges, but may also lead to disciplinary and legal issues that could damage your university experience and ultimately your future.

Follow the Student IT Checklist. After you set up 2-Step Login (Duo), please take the Student CyberSecurity Awareness Training .

For information about the employee information security awareness training at UVA, please see our information security awareness training webpage

Table of Contents

  1. You, the University, and the Internet
  2. Good Citizenship in the Internet Community
  3. Threats to Your Online Safety and Security
  4. Protecting Yourself Online
  5. Email: Privacy Guidelines for Use
  6. Copyrights: Legal and Ethical Use
  7. About Web Pages and Individual Websites
  8. Abuse of Information Technology Resources
  9. Standards of Conduct and Disciplinary Action
  10. Summary

Sections

[collapsed title=I. You, the University, and the Internet]

As a student at the University of Virginia, you will have many opportunities to improve your proficiency in the use of information technologies. As a leader in the 21st century, you will learn how specific technologies within your major field of study are used, guiding you toward success in your classes and in your career. The University provides access to information technology resources such as email accounts, databases, servers, and the network. University determines who may use these resources and provides guidance regarding their intended use. In return, the University expects you to utilize these resources responsibly, in accordance with University policy, and with local, state, and federal laws. The University reserves the right to terminate access to IT resources whenever such action is deemed appropriate, such as for policy violations or malicious use.

Note: In order to connect your electronic device to the University of Virginia's network, you will have to register it. This registration associates your Computing ID with your device and its network activity.

Who Owns What?

We will use the possessive word “your” frequently in this booklet, but the term does not always mean ownership. In some cases, it means “exclusive use.” You may own a personal computer or workstation. You will make the decisions about how that equipment will be used. You may own a software license — word processing or spreadsheet software, perhaps — that you purchased from a software vendor. Your license usually allows you to possess one copy of this software for your own use. The same is true for software provided by the University for your use. It allows you to use the software while you are affiliated with the University. The general rule is ONE purchase, ONE copy, ONE USE.

The University owns the central computers, departmental computer labs, public computer labs, the computers it places on its employees’ desks, the printers and other devices it has attached to them, and all the software it has installed on them. The University determines who may use these resources and how they may use them.

The University owns the University network — all the wires, wireless hubs, cables, and routers that connect the central computers, computer labs, microcomputer sites, and perhaps your personal computer to each other and, beyond the Grounds, to the Internet. The University determines who is authorized to use its network, and can limit the nature of the use.

[/collapse]

[collapsed title=II. Good Citizenship in the Internet Community]

The University provides Internet access to students with the expectation that they, in exchange, will act as good, responsible, and accountable Internet citizens. The following are practical terms for how you can be a good Internet citizen at UVA.

  • Familiarize yourself with all applicable University policies, standards, and procedures that pertain to the use of technology and abide by them.
  • Don’t let friends, relatives, or any other person gain access to the University's IT resources using your account. You will be held accountable for any abuse of IT resources by persons who use your UVA computing ID and password.
  • Don’t use computer accounts, computing IDs, and passwords that belong to someone else. To do so violates policy and may violate law.
  • Know what local, state, and federal laws and regulations pertain to computing activities. Violators may be prosecuted.
  • Be considerate of others who also rely on the University's computers to do their work. Consider how your online behavior will affect them and act accordingly. DON'T waste shared information technology resources such as bandwidth on activities that have no academic purpose.
  • Don’t be surprised if you are interviewing for a job and you are asked about something you posted on Twitter or Facebook while you were a student. Remember that archives of social media and Web pages remain accessible for years.
  • Good Internet citizens respect one another's privacy. Persons who gain access to resources either by directly breaking into them or because they are poorly protected violate the Acceptable Use policy, along with an array of other University policies.

[/collapse]

[collapsed title=III. Threats to Your Online Safety and Security]

The Internet community is constantly under attack by cybercriminals seeking to do harm. Such malicious activities include:

  • committing fraud and identity theft from compromised accounts or systems;
  • theft of computing IDs and passwords;
  • disruption of computer systems and networks;
  • flooding email with unwanted messages (spam);
  • hijacking email accounts and sending forged electronic messages from friends, family, celebrities, politicians, the University president, colleagues, or even YOU;
  • phishing (learn more about phishing);
  • posting threatening messages;
  • spreading viruses and other malware;
  • subscribing and unsubscribing others to mailing lists without their consent; and
  • invading the privacy of others.

Students who willingly engage in these activities at the University of Virginia may lose computing privileges and suffer other severe consequences, such as suspension or expulsion, from the disciplinary entities at the University. They may also be prosecuted under state and federal laws. It is prudent to reboot the computer you use in any shared-computer setting upon completion of your work there, or when you walk away from any workstation, even if you intend to return soon. Remember: You are held accountable for any misuse or your account, even if you are not the perpetrator.

In exchange for providing information technology resources, the University trusts students to make responsible use of them. If you violate that trust, you may lose network access.

Should you become aware that any of these activities are occurring, please report them immediately to the University Information Security office.

[/collapse]

[collapsed title=IV. Protecting Yourself Online]

Secure Your Personal Equipment

Given the current cybersecurity threat landscape, it is required that all computing equipment, regardless of ownership, take reasonable care to meet security standards highlighted in the Security of Networked Devices Standard. If you connect your personal computing equipment or any other non-UVA equipment to the University network, you are responsible for securing that equipment. Please refer to this standard, as well as to the University Information Security office website for more information.

Failure to secure your personal equipment may result in the removal of access for your equipment to our network. The following is a list of ways to prevent introducing additional risk to the University network:

  • limit access to your equipment to authorized persons;
  • keep files from unknown sources off your equipment;
  • use up-to-date antivirus software;
  • use caution in opening attachments and clicking links in suspicious emails;
  • use only supported operating systems and software;
  • keep your operating system up-to-date;
  • use only legal copies of software and copyrighted materials;
  • keep application software updated; and
  • disable unneeded software features.

Securing Your Personal Information

Threats of identity theft and other malicious activities are ever-present online. Fortunately, there are simple actions you may take to protect yourself. Although not an exhaustive list, the following guidelines, tips, and reminders will assist you in safeguarding your email.

  • Choose a strong password/passphrase and do not share it with anyone. For help choosing a good phasephrase, see https://security.virginia.edu/passphrase-guidance. Do not re-use UVA passwords/passphrases anywhere else online.
  • Protect yourself against phishing. Phishing is the most commonly-used scam that uses email or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other personally identifiable information. These messages should be viewed as illegitimate attempts to gain this personal information and should be deleted. These emails may appear to be legitimate. Be wary. Legitimate sources will not ask for personal or account information without providing a way to verify the email. If you receive an electronic communication such as an email from what appears to be your bank or credit card company, or any email that seems out of context given the sender, directing you to click an embedded link, delete the email. Learn more about phishing »
  • Do not use another individual’s credentials or allow them to use yours.
  • Log off or password lock the screen of your computer when you leave your desk.
  • Keep information displayed on your screen confidential, and keep confidential printed material secured.
  • Back up your data regularly.
  • If you become aware that University data may have been exposed to unauthorized persons, contact Information Security at [email protected].
  • Social media Websites such as Twitter, Instagram, and Facebook make it is easy to share information about your whereabouts, your contact information, and your physical attributes. Be cautious about sharing any information that may put you at personal risk.

[/collapse]

[collapsed title=V. Email: Privacy and Guidelines for Use]

Email is the official means for communication with every University student (undergraduate, graduate, resident), regardless of year or enrollment status. Students are responsible for any consequences resulting from their failure to check their email for official University communications.

Checking Email

Students are expected to receive and read those communications in a timely fashion. The following are specifc situtations.

  • Since the University will send official communications to enrolled students by email using their primary email addresses, students must specify the email service to which messages sent to their primary email address will be delivered. In making these delivery choices, students are responsible for selecting the email service(s) they most frequently use to ensure they receive and read official University communications in a timely manner.
  • Students are expected to check their official email accounts once a day at a minimum to remain informed of University communications.
  • Students are responsible for any consequences resulting from their failure to check their email on a regular basis for official University communications.

Email and Confidentiality

Except in specific circumstances, the content of the electronic communications and files associated with your account will be treated as confidential by the University because it does not routinely examine or monitor such content. You should be aware, however, that your electronic communications and files are records that are subject to review with sufficient justification. They may be subject to Virginia Freedom of Information Act if they were produced, collected, received or retained in pursuance of law or in connection with the transaction of public business (rarely the case with student email). They may lose whatever confidentiality they have if their release is compelled by legal orders.

University policy allows system administrators to view and modify any files, including email messages, in the course of diagnosing or resolving system problems and maintaining information integrity. System administrators, as part of their jobs, are expected to treat any such information on the systems as confidential. However, if an administrator comes across information that indicates illegal activity, he or she may report the discovery to appropriate authorities. For example, electronic mail messages that carry threats to persons or their immediate families may be prosecuted and punished as felonies under Virginia law. If a system administrator inadvertently encounters an email message containing a threat or other illegal content, it will be turned over to law enforcement officials.

Also, officials overseeing the University’s disciplinary processes may rule that electronic communications and files are evidence that may be reviewed as part of investigations. Under these circumstances, the privacy of your email and other files is not guaranteed. System administrators, however, must follow certain standards when dealing with requests for individual account log or content information from persons other than the account holder.

Although you might have downloaded and/or deleted your email messages, email delivery systems work in such a way that messages may be preserved for a time as computer files on centrally-administered servers and at back-up locations, so your capacity to control if and where copies exist is not absolute. The array of storage locations is another factor making the confidentiality of your electronic communications and files conditional.

Email Guidelines For Use

Many guidelines and best practices have been established for email. Some are listed below.

  • Email you send becomes the possession of the receiver and is easily redistributed by recipients. Do not put anything in email you do not wish to be accessed by anyone other than the recipient.
  • Double-check email content and the addresses of your intended recipients. You will not be able to retract emails you mistakenly send.
  • Delete any email mistakenly sent to you, and alert the sender.
  • When the confidentiality of a message is of the utmost importance, only a person-to-person conversation will suffice.
  • Delete messages that should not be preserved, such as personally identifiable information that you may have sent or received.
  • Although some email programs allow for use of encrypted email, most still produce messages in plain text; they should be likened to postcards in that others might view the messages in transit or those left in plain view.
  • The Suspicious Email Alerts page provides a useful list of malicious email messages known to be circulating at UVA (please bookmark this page!).
  • Do not download or execute attachments about which you have any question, even if they appear to be coming from a friend. Email attachments are a popular format used to distribute viruses, and your friend may not even know that his or her email account is being used for that purpose.
  • If you are sending attachments, include personalized text and specific references to provide specific context that will help the recipient know that the message and attachment are indeed from you.
  • Any large-scale mailing must be coordinated according to the mass email procedure in accordance with the UVA Mass Electronic Mailings policy.
  • Don’t use University resources, computing or otherwise, for commercial purposes.
  • Should you die, any stored email and files associated with your account are a part of your personal effects and will not be released unless you have provided written instructions authorizing someone else to access your email following your death.

This website provides additional information for students about email at UVA.

[/collapse]

[collapsed title=VI. Copyrights: Ethical and Legal Use]

Unauthorized use of copyright-protected or licensed materials (including, but not limited to, software, images, movies, music or audio files) is a violation of University policy and federal law. Any individual who reproduces and/or distributes digitized copyrighted material without permission and in excess of “fair use” has violated University policy, the Student Standards of Conduct, and federal digital copyright law. Please see the Copyrights of Digital Materials and Software Standard for more information.  The University will not shield such individuals from lawsuits brought by the copyright owner.

Individuals who use filesharing software such as BitTorrent to stream or download files often unknowingly allow their computers to be used by the software to share not only these files, but also the individuals' personal files with other filesharing users on the Internet.

Copyright owners such as major entertainment companies have technology that will detect illegal streaming and downloading over the internet and will contact UVA with specific location details used to identify you.  UVA will use this information to contact you and require that you immediately discontinue the illegal use. The University will not protect individuals who use or share (knowingly or not) copyrighted materials without an appropriate license to do so.

Copyright laws and policies also apply to software. Most software available for use on computers at the University of Virginia is protected by federal copyright laws. The software provided through the University for use by faculty, staff, and students may be used only on computing equipment as specified in the various software licenses. Licenses sometimes specify that you may use the software only while you are a member of the UVA community.

It is the policy of the University to respect the copyright protections given to software owners by federal law. It is against University policy for faculty, staff, or students to copy or reproduce any licensed software on University computing equipment, except as expressly permitted by the software license. Of course, faculty, staff, and students may not use unauthorized copies of software on University-owned computers.

Remember: You are held accountable for any misuse or your account, even if you are not the perpetrator.

[/collapse]

[collapsed title=VII. About Web Pages and Individual Websites]

The University's Web server and tools provide the opportunity for you to develop and publish an individual website. In doing so, you are expected to act responsibly, just as you would in all use of information technology resources at the University. The following is not an exhaustive list of web page development responsible use, but provides a good overview of what is required.

  • You assume full legal responsibility for the content of your Web page(s).
  • You must abide by all applicable local, state, and federal laws, including laws of copyright. Be advised that you are responsible for the content used on the Web pages you develop (https://www.virginia.edu/siteinfo/copyright).
  • You may not use individual Web pages for fundraising or advertising for commercial or non-commercial organizations, except for University-related organizations and University-related events and in accordance with policies governing these activities.
  • You may not use the University name in your Web pages in any way that implies University endorsement of organizations, products, or services about which you publish.
  • You may not use University logos and trademarks, including the crossed sabers and "V," the Cavalier mascot, the University seal, or photographs copyrighted by the University. Requests for permission to use the University logos or seal in Web or print publications should be directed to University Communications.

Please note that should any complaints regarding the content on your website will be forwarded to the appropriate disciplinary system within the University.

[/collapse]

[collapsed title=VIII. Abuse of Information Technology Resources]

Unfortunately, computer abuse, malicious behavior, and unauthorized account access do happen. Prohibited conduct relating to computer access and use for which students may be subject to disciplinary action are defined in the University of Virginia Standards of Student Conduct. Some examples of abuse include:

  • the use of obscene or abusive language;
  • unauthorized use or misuse of state property or records which includes electronic data;
  • willfully or negligently damaging or defacing state records, state property or another persons' property;
  • falsification of records; and
  • theft or unauthorized removal of state records, state property or another persons' property.

Should you become aware of any of these activities, report them to University Information Security or another appropriate University authority immediately. Information technology resource abuse should be reported to the electronic mail address [email protected]. For more information on acceptable use practices, see the University Information Security website.

[/collapse]

[collapsed title=IX. Standards of Conduct and Disciplinary Action]

The University of Virginia is a community of scholars in which the ideals of freedom of inquiry, freedom of thought, freedom of expression, and freedom of the individual are sustained. It is committed to preserving the exercise of any right guaranteed to individuals by the Constitution. However, the exercise and preservation of these freedoms and rights require a respect for the rights of all in the community to enjoy them to the same extent.

It is clear that in a community of learning willful disruption of the educational process, destruction of property, and interference with the orderly process of the University or with the rights of other members of the University cannot be tolerated. Students enrolling in the University assume an obligation to conduct themselves in a manner compatible with the University’s function as an educational institution. To fulfill its functions of imparting and gaining knowledge, the University retains the power to maintain order within the University and to exclude those who are disruptive of the educational process.

When it is possible for the Student Standards of Conduct to be applied to conduct related to information technology at the University, you should expect that they will be. Read them at the University Judiciary Committee’s website, and you will note how several are particularly relevant to the information technology environment.

Students at the University have both rights and responsibilities. The University is committed to supporting the exercise of any right guaranteed to individuals by the Constitution and the Code of Virginia and to educating students relative to their responsibilities. Students’ rights are listed in The Undergraduate Record and its graduate counterpart.

The University’s Standards of Conduct include the expectation that students understand and abide by all University information technology-related policies. Any student violating such policies will be subject to full disciplinary action within the Undergraduate and Graduate Student Judicial System, up to and including loss of information technology accounts and access, suspension and/or expulsion.

The procedures for handling alleged student abuse of information technology resources are detailed in various University publications and websites, including The Undergraduate Record and its graduate counterpart. Such resources describe the Honor System and the University Judicial system, as well as the University’s policies, all of which form the context for ITS’s procedures.

Note: In order to connect your computer to the University of Virginia's network, you will have to register your computer with ITS. This registration associates your Computing ID with your computer and its network activity. In this way, ITS has the ability to contact you directly in the event of any technical issues or violations associated with your information technology equipment.

[/collapse]

[collapsed title=X. Summary]

The University provides Internet access to you with the expectation that, in exchange, you will act as good, responsible, and accountable Internet citizen. The following are practical terms for how you can be a good Internet citizen at UVA.

  • Familiarize yourself with all applicable University policies, standards, and procedures that pertain to the use of technology and abide by them.
  • Don’t let friends, relatives, or any other person gain access to the University's IT resources using your account. You will be held accountable for any abuse of IT resources by persons who use your UVA computing ID and password.
  • Don’t use computer accounts, computing IDs, and passwords that belong to someone else. To do so violates policy and may violate law.
  • Know what local, state, and federal laws and regulations pertain to computing activities. Violators may be prosecuted.
  • Good Internet citizens respect one another's privacy. Persons who gain access to resources either by directly breaking into them or because they are poorly protected violate the Acceptable Use policy, along with an array of other University policies.

In exchange for providing information technology resources, the University trusts you to make responsible use of them. If you violate that trust, you may lose access to UVA IT resources.

It is your responsibility as a user of the University of Virginia's computers and networks to be familiar with the University policies, standards, and procedures that govern their use. By using your computing ID at UVA, you automatically agree to abide by all of the policies, terms, and conditions, including but not limited to the information in this publication and on the UVA Information Technology Policy website.

Have further questions?

Student Rights and Responsibilities are listed in the Standards of Conduct available online from the University of Virginia Judiciary Committee website. You will find similar information listed on the Vice-President and Chief Student Affairs Officer website. For any other questions, please contact the UVA Help Desk.

[/collapse]