Creating an AUP that’s simple enough to understand but strong enough to protect your network can be a delicate balance.
Alexandra ShimallaAlexandra Shimalla is a freelance journalist and higher education writer.
Listen PauseEveryone has encountered plenty of fine print, whether they’re registering a new product or creating a new account.
For higher education institutions, the fine print has another name: an acceptable use policy. While often overlooked, AUPs ensure the protection of data, critical and sensitive information, institutional assets, and the online security of faculty, staff and students.
An AUP is “a document that sets guidelines for how the network is used,” explains Molly Maley-Gaik, CIO at St. Xavier University in Chicago. Simply put, AUPs define how an institution’s assets should be used.
At St. Xavier, Maley-Gaik says email has an important AUP. No sensitive information is allowed to be sent by email; students should be directed to a safe and secure portal to view tuition bills and scholarship information, for example.
Alternatively, AUPs can be explained as what they aren’t, says Matthew Hall, vice president for information technology and CIO at the University of Central Florida. For example, professors aren’t allowed to run a personal business from their work laptops.
Although there aren’t necessarily different types of AUPs, the policies are often adjusted to fit different technologies, platforms and processes. For example, a college’s AUP for file sharing, copyright or mass email use might differ from the strict rules of the Family Educational Rights and Privacy Act.
Common acceptable use policy statements contain “expectations for use, respect for data, equipment, email information, password and security information, acceptable and unacceptable behaviors, and violations for noncompliance,” Maley-Gaik says.
AUPs may include language about administrative standards, political regulation or behavioral regulation, explains Hall. Institutions might not want certain types of speech to proliferate on their networks; those stipulations would be in relevant AUPs.
“You can create many different variants of the acceptable use policy, but really the spirit of the policy and why we have them, especially in the public sector, is to maximize the investment on behalf of the mission you’re trying to attain,” Hall says. “We need to have our investments aligned to what is focused on our students and faculty, learning and teaching, our research and our mission.”
Hall recommends minimum enforcement and policy constructs: “Complexity is the enemy.”
He encourages schools to reduce the social, policy, regulatory and technical deployment complexity. “It’ll make for a happier community,” he says.
Universities and colleges are dedicated to furthering the minds, careers and research of their students and faculty. These are places of inspiration, ideation and innovation. If a policy hinders that, then it’s time to update.
As threats arise or as social norms change, you have to adapt your policies.”Matthew Hall Vice President for Information Technology and CIO, University of Central Florida
Acceptable use policies are ever-changing. Consider how much technology has changed in the past few years alone, particularly the proliferation of online learning. Once upon a time, email was taboo. As new technology arises, the way faculty, students and staff interact with those tools changes as well. Administrations must amend their policies in turn.
At the same time, some policies can become antiquated. Fax machines aren’t as popular as sending scanned documents via email or portal.
Security is also a major concern for higher education, including national security issues regarding certain social media platforms that are currently being discussed. If those vulnerabilities exist, institutions might have back doors into their networks and data.
“As threats arise or as social norms change, you have to adapt your policies,” says Hall, who monitors UCF’s network for vulnerabilities and security events.
Sometimes machines or software must be removed from the network because of their vulnerability to attack, explains Hall. “I have an obligation to monitor our devices, and as a matter of policy, I have an obligation to take them off the network if they don’t meet our minimum standards,” he says.
However, AUPs can be amended to be more expansive. “Personal and professional lives have been conjoined,” Hall explains. “Imagine if you couldn’t use a corporate asset to look up the number of a plumber during an emergency.”
As long as the incidental use isn’t abusive, people aren’t misusing the technology or slacking, says Hall.
He also likes to think of these changes as removing the barriers for faculty and students to collaborate and advance their fields. If students want to use a cloud-based solution such as Microsoft Teams to collaborate on a project, but they’re hindered by bureaucratic forms and a lengthy approval process, the opportunity to learn is lost.
“We need to make sure that the assets we manage are used fully and maximally on behalf of the people we serve, whether it’s the faculty, students or administration. We buy these assets not for people to host their website or play games; we buy them to further the mission of the university,” Hall explains. “It’s our job as IT management to make sure these assets are used fully to that purpose.”