Ever send an e-mail using your Johns Hopkins account
and then question its appropriateness, or wonder if you
were allowed to install a piece of software on your work
computer? If so, the guidelines are now in.
The university has approved a wide-ranging set of
policies, effective immediately, for the appropriate use
and management of all Johns Hopkins information technology
resources.
The policies, the first such institutionwide ones set
at Johns Hopkins, cover the appropriate use of the JHU
network, e-mail and university-owned computer devices. The
purpose of the new guidelines is to ensure compliance with
all applicable federal, state and local laws, and to
safeguard and protect all IT resources from anything other
than the authorized and intended use.
IT resources include, but are not limited to, Web and
print servers, desktop computers and laptops, handheld
computers, software, storage media and printers. Software
and computer-related equipment acquired by Johns Hopkins
are considered Hopkins property.
Darren Lacey, chief information security officer for
the university and Johns Hopkins Medicine, said that it
became increasingly clear that Johns Hopkins needed a
standard set of IT policies with the broadest possible
applications. Previously, IT policies were set by division,
or by student or employee groups.
Lacey said that the uses of information technology
have changed dramatically over the last five to 10 years
and will likely continue to do so. For this reason, he said
it became critical for Johns Hopkins to articulate a clear
statement regarding the appropriate uses of IT resources to
ensure that the technology is secure, reliable and
available for the entire Johns Hopkins community. Many of
JHU's peer institutions, he added, have also recently
implemented such institutionwide policies.
The Johns Hopkins policies were drafted over several
years, under the leadership of the Institutional Computing
Standards Committee, a forum of IT managers and
administrators. First established to develop policies and
standards, the ICSC is now the principal means for sharing
IT issues and concerns at Hopkins.
In February, the Council of Deans officially approved
the policies, which address everything from the
installation of software to the proper use of a Johns
Hopkins e-mail account.
"These policies translate the complex legal
environment facing universities so that everyone in the
Hopkins community can understand our ethical and
institutional obligations," Lacey said. "In addition,
policies also establish rules of the road for use of
systems that, when taken together, can help ensure that
Hopkins IT resources are secure and reliable."
The acceptable use of IT resources is defined as "use
that is consistent with Johns Hopkins' missions of
education, research, service and patient care, and is
legal, ethical and honest." Acceptable use must also
respect intellectual property; an individual's rights to
privacy; and freedom from intimidation, harassment and
annoyance. Incidental personal use of IT resources is
permitted if consistent with applicable institutional and
divisional policy, and if such use is reasonable, not
excessive, and does not impair work performance or
productivity.
Examples of inappropriate use include illegal
downloading or pirating of software, the use of IT
resources for commercial/independent business purposes not
related to Johns Hopkins, use of JH e-mail to assert or
imply that one's personal views are the institution's views
or opinions, and the improper disclosure of a password
resulting in a system's unauthorized use or compromise.
Other cases of inappropriate use include sending harassing
e-mails, intentional display or storage of sexually
explicit images (except for legitimate, acknowledged
academic or medical purposes), broadcasting e-mail
communications to users of Johns Hopkins e-mail systems
without the proper approval and the intentional
distribution of messages that contain viruses, worms or
other malicious code.
The policies are applicable to everyone who uses
Hopkins IT resources. The failure to comply may result in
loss of access to some or all IT resources. In addition,
violators may be subject to criminal and/or civil penalties
and to disciplinary action, up to and including
termination.
The new IT policies also cover the use of anti-virus
software. Since electronic viruses, worms and malicious
software are constant threats to the security and safety of
computer networks and computing environments, the
university now requires that all devices vulnerable to
electronic viruses must be appropriately safeguarded
against infection.
Johns Hopkins has licensed anti-virus software for use
by faculty, staff and students. The new policy states that
it's the responsibility of every user to ensure that
anti-virus protection is current. Infected devices may be
blocked and/or temporarily removed from the JH Network by
IT@JH or appropriate departmental personnel.
Effective protection includes installing anti-virus
software on all vulnerable devices and utilizing automated
anti-virus updates.
Lacey said that the entire set of IT policies would be
reviewed at least every two years, as the technology
landscape will invariably continue to transform and
expand.
A complete list of the new policies can be found at
it.jhu.edu/policies.