About The Gazette Search Back Issues Contact Us    
The newspaper of The Johns Hopkins University October 10, 2005 | Vol. 35 No. 6
IT policies Established for JHU

Guidelines cover e-mail, computers, software, network, more

By Greg Rienzi
The Gazette

Ever send an e-mail using your Johns Hopkins account and then question its appropriateness, or wonder if you were allowed to install a piece of software on your work computer? If so, the guidelines are now in.

The university has approved a wide-ranging set of policies, effective immediately, for the appropriate use and management of all Johns Hopkins information technology resources.

The policies, the first such institutionwide ones set at Johns Hopkins, cover the appropriate use of the JHU network, e-mail and university-owned computer devices. The purpose of the new guidelines is to ensure compliance with all applicable federal, state and local laws, and to safeguard and protect all IT resources from anything other than the authorized and intended use.

IT resources include, but are not limited to, Web and print servers, desktop computers and laptops, handheld computers, software, storage media and printers. Software and computer-related equipment acquired by Johns Hopkins are considered Hopkins property.

Darren Lacey, chief information security officer for the university and Johns Hopkins Medicine, said that it became increasingly clear that Johns Hopkins needed a standard set of IT policies with the broadest possible applications. Previously, IT policies were set by division, or by student or employee groups.

Lacey said that the uses of information technology have changed dramatically over the last five to 10 years and will likely continue to do so. For this reason, he said it became critical for Johns Hopkins to articulate a clear statement regarding the appropriate uses of IT resources to ensure that the technology is secure, reliable and available for the entire Johns Hopkins community. Many of JHU's peer institutions, he added, have also recently implemented such institutionwide policies.

The Johns Hopkins policies were drafted over several years, under the leadership of the Institutional Computing Standards Committee, a forum of IT managers and administrators. First established to develop policies and standards, the ICSC is now the principal means for sharing IT issues and concerns at Hopkins.

In February, the Council of Deans officially approved the policies, which address everything from the installation of software to the proper use of a Johns Hopkins e-mail account.

"These policies translate the complex legal environment facing universities so that everyone in the Hopkins community can understand our ethical and institutional obligations," Lacey said. "In addition, policies also establish rules of the road for use of systems that, when taken together, can help ensure that Hopkins IT resources are secure and reliable."

The acceptable use of IT resources is defined as "use that is consistent with Johns Hopkins' missions of education, research, service and patient care, and is legal, ethical and honest." Acceptable use must also respect intellectual property; an individual's rights to privacy; and freedom from intimidation, harassment and annoyance. Incidental personal use of IT resources is permitted if consistent with applicable institutional and divisional policy, and if such use is reasonable, not excessive, and does not impair work performance or productivity.

Examples of inappropriate use include illegal downloading or pirating of software, the use of IT resources for commercial/independent business purposes not related to Johns Hopkins, use of JH e-mail to assert or imply that one's personal views are the institution's views or opinions, and the improper disclosure of a password resulting in a system's unauthorized use or compromise. Other cases of inappropriate use include sending harassing e-mails, intentional display or storage of sexually explicit images (except for legitimate, acknowledged academic or medical purposes), broadcasting e-mail communications to users of Johns Hopkins e-mail systems without the proper approval and the intentional distribution of messages that contain viruses, worms or other malicious code.

The policies are applicable to everyone who uses Hopkins IT resources. The failure to comply may result in loss of access to some or all IT resources. In addition, violators may be subject to criminal and/or civil penalties and to disciplinary action, up to and including termination.

The new IT policies also cover the use of anti-virus software. Since electronic viruses, worms and malicious software are constant threats to the security and safety of computer networks and computing environments, the university now requires that all devices vulnerable to electronic viruses must be appropriately safeguarded against infection.

Johns Hopkins has licensed anti-virus software for use by faculty, staff and students. The new policy states that it's the responsibility of every user to ensure that anti-virus protection is current. Infected devices may be blocked and/or temporarily removed from the JH Network by IT@JH or appropriate departmental personnel.

Effective protection includes installing anti-virus software on all vulnerable devices and utilizing automated anti-virus updates.

Lacey said that the entire set of IT policies would be reviewed at least every two years, as the technology landscape will invariably continue to transform and expand.

A complete list of the new policies can be found at


The Gazette | The Johns Hopkins University | Suite 540 | 901 S. Bond St. | Baltimore, MD 21231 | 443-287-9900 |