SDSU Research Foundation has adopted the CSU Responsible Use Policy.
Information assets are information systems, data, and network resources to include electronic files and databases. Information systems are any combination of hardware, network and other resources that are used to support applications and/or to process, transmit and store data, including, but not limited to desktop computers, laptop computers, netbooks, smart phones, servers, voicemail, e-mail, electronic storage devices, automated files and databases. These items and all data transmitted through SDSU Research Foundation (Research Foundation) systems are Research Foundation property and must be maintained according to Research Foundation, SDSU and CSU Information Security policies.
Information assets used by Research Foundation employees, Principal Investigators, Project Directors, students, and to all authorized third parties, are provided solely to further Research Foundation’s business operations. The Research Foundation reserves the right to use appropriate means to safeguard its data, preserve network and information system integrity, and ensure continued delivery of services to users, including rights to:
- inspect all Research Foundation property to ensure compliance with its policies, without notice to the employee and at any time, not necessarily in the employee’s presence
- temporarily suspend accounts or network connectivity
- change or override passwords and personal codes due to business necessity.
SDSU Information Security Policies and Procedures: https://it.sdsu.edu/security/policies
CSU Information Security Policy: https://calstate.policystat.com/policy/10593951/latest
General Principles and Responsible Use of Information Systems and Assets
It is the collective responsibility of all users to ensure the confidentiality, integrity, and availability of information assets owned, leased, or entrusted to SDSU Research Foundation (Research Foundation), SDSU, and CSU in an effective, efficient, ethical, and legal manner. Users are expected to use good judgment and reasonable care in order to protect and preserve the integrity of Research Foundation equipment, its data and software, and its access.
- Accounts created for an individual are for the use of that individual only. Computer accounts, passwords, and other types of authorization are assigned to individual users and must not be shared with others. Use of on-line userid and passwords in Research Foundation systems is the equivalent of a wet ink signature on paper and users are responsible for all use of their assigned account(s). The user shall assist in the investigation and resolution of a security incident regardless of whether or not the actuality occurred without the user’s knowledge and as a result of circumstances outside his or her control.
- Users must take reasonable steps to protect their credentials from becoming known by or used by others and follow established policies and procedures for setting, maintaining, and changing passwords. https://www.foundation.sdsu.edu/hr_annual_password_policy.html
- Users must manage electronic files electronic files in accordance with current record retention policies. Electronic files and stored data, including voicemail and e-mail messages are considered business records and can be subpoenaed or requested via a public records request. Nothing should be included in a voicemail or e-mail message that would not be considered to be in a memo. Obsolete electronic files should be deleted as soon as practical.
- Users must comply with McKee Transparency Act and public records requests related to SDSU Research Foundation business. www.leginfo.ca.gov/pub/11-12/bill/sen/sb_0001-0050/sb_8_bill_20110714_amended_asm_v95.pdf (PDF Format, 233KB)*
Responsible Use of Information Assets
- Prior authorization must be obtained before any Research Foundation property may be removed from the premises. The Research Foundation reserves the right to inspect all Research Foundation property to ensure compliance with its rules and regulations, without notice to the employee and at any time, not necessarily in the employee’s presence.
- Report the theft or loss of any device that contains (laptop, server, portable storage, mobile device, etc.) or grants access to (passwords, credentials, keys, access cards, etc.) information assets promptly.
- Use software in a way that is consistent with relevant license agreements.
- Observe all applicable policies of all internal and external computers or networks when using such resources.
- Users must take reasonable precautions to ensure their personal and/or Research Foundation-provided devices (e.g. laptops, smart phones, computers, flash storage, etc.) are secure before connecting to SDSU/Research Foundation information systems and assets.
- Users should log off when not using the computer information systems, including closing or securing connections to the Research Foundation/SDSU network (e.g. remote desktop, virtual private network connections) when assets are unattended.
- Users should take reasonable precautions to avoid introducing harmful software, such as viruses, into CSU/SDSU/Research Foundation systems and networks, such as avoiding opening email and attachments from unknown users, browsing only “work” related websites, downloading only approved software, and being alert to phishing attempts to help avoid malware infections.
- Users with knowledge, or a reasonable suspicion, must report unauthorized use of computing resources or observed gaps in system or network security to the project director, supervisor or system administrator, or other appropriate authority immediately upon discovery.
- Users are expected to follow all state laws that apply to use of information assets. For example, it is illegal under California law to record a conversation with another individual without the individual’s consent. If you have questions about what it permissible in your state, please contact Human Resources.
Restrictions and Prohibited Use
Both California law and Research Foundation policy prohibit, in general, the theft or other abuse of information assets. Such prohibitions apply to all information assets and include (but are not limited to): unauthorized entry, use, transfer, and tampering with the accounts and files of others; interference with the work of others and with other information technology resources or services.
Users must not use or access Research Foundation information assets in a manner that conflicts with the Research Foundation and University missions; violates applicable laws, regulation, contractual agreements or CSU/SDSU/Research Foundation policies or standards; or causes damage to or impairs Research Foundation information assets or the productivity of SDSU/Research Foundation users through intentional, negligent or reckless action.
Research Foundation information assets should not be used for the following purposes:
- Circumvent data security schemes, identify or exploit security vulnerabilities or decrypt secure data;
- Monitor, read, copy, change, delete or tamper with any other employee's electronic communications, files or software;
- To attempt to obtain system privileges to which authorization has not been granted or give unauthorized access to others; access file(s), use a password, or retrieve or download any stored information or communications without express authorization;
- Knowingly or recklessly run or install a program, such as a worm or virus, that is intended to damage or place an excessive load on computer information system or networks;
- Knowingly or recklessly violate the security policies of SDSU, SDSU Research Foundation or any other computer network facility, interfere with the authorized computer use of others, or interfere with the normal running of services on any computer information system or network. This includes unauthorized modifications to software or hardware of any computer or network, propagating viruses, or excessive network traffic that interferes with the use of others.
- Connect unauthorized equipment to the network or load unauthorized software on individual computers or the system;
- Unauthorized disclosure of sensitive or confidential information;
- The creation or distribution of any illegal, disruptive, discriminatory, threatening, harassing, abusive, or offensive messages, including offensive comments about ancestry, race, color, creed, sex, gender, physical or mental disabilities, age, sexual orientation, medical condition, marital status, religious beliefs and practices, political beliefs, or national origin.
- To copy or distribute copyrighted material unless the employee has confirmation from an appropriate sources that the Research Foundation has the right to copy or distribute the material;
- Deliberately waste computer resources, including bandwidth, disk space, and printer paper or running or installing games or other unauthorized software on Research Foundation computers;
- Use Research Foundation's systems or networks to gain unauthorized access to any computer information system;
- Install any software on Research Foundation owned computing equipment that is not in accordance with the software license agreement and without prior authorization from the appropriate IT manager responsible for managing the network the computer will connect to;
- Illegal duplication and distribution of software and its related documentation;
- In the interest of the safety of our employees and other drivers and in compliance with California law, Research Foundation employees are prohibited from using cellular phones and writing, sending, or reading text-based communications from any mobile devices while driving on Research Foundation business and/or Research Foundation time.
- Sending e-mail or other communications that either mask identity or indicate that someone else sent them;
- Post or communicate any on–line statements or comments about or on behalf of Research Foundation that have not received prior authorization from Research Foundation senior management;
- Anything in conjunction with an employee’s outside business endeavors or sales of any product or outside service (home products, cosmetics, etc.);
- To access, view, download, or otherwise obtain obscene matter. “Obscene matter” as used in this section has the meaning specified in Section 311 of the Penal Code. This prohibition does not apply to accessing, viewing, downloading, or otherwise obtaining obscene matter for legitimate scientific or academic purposes.
- Post or communicate any messages related to political issues (i.e., encouraging or advocating a certain position, bill, etc.) unless there is a legitimate reason directly related to Research Foundation’s business. Prior approval for such messages and their planned distribution list must be obtained from the office of the Research Foundation's Chief Executive Officer.
Protection of Sensitive Data
Users who access, transmit, store or otherwise process Level 1 or Level 2 data as defined in the CSU Data Classification Standard ( https://www.foundation.sdsu.edu/hr_annual_data_class_handling_policies.html must use all reasonable efforts to prevent unauthorized access and disclosure of confidential, private, or sensitive information.
- Employees must not store or transmit protected university/foundation data using services hosted by third parties which do not have a contract in place with the campus or the foundation, such as personal cloud accounts.
- Users must not use unsecured communication or transmission methods to deliver protected level 1 or level 2 data (as defined in section 3.0 of the San Diego State University Information Security Plan), including but not limited to E–Mail, Voicemail and fax transmissions;
- Users must not provide access or transmit Level 1 or Level 2 data to another user without prior approval from the data owner or custodian.
- Users must not store or process protected Level 1 or Level 2 data on any personal devices (laptops, computers, mobile devices, portable storage media, etc.).
- Users must not access or transmit unencrypted Level 1 data over a public network.
Research Foundation recognizes that use of social media tools can be an effective method to communicate with constituents and raise the visibility of Research Foundation administered research and sponsored program activities. Social media is a general term used to reference sites and activity on sites like Facebook, LinkedIn, Instagram, Twitter, YouTube, or any other virtual hub where users interact. Official groups or pages for SDSU Research Foundation must be supervisor-approved, follow SDSU Social Media guidelines, and be approved by the SDSURF Communications Officer.
Privacy and Disclosure
Access to Research Foundation's information systems and assets is provided to facilitate the conduct of its business. All messages and other communications generated through and/or stored on these systems are considered business records. Employees who use information systems, including accessing Research Foundation systems and information assets from their home should understand that information stored on these systems cannot be considered confidential or private. Research Foundation reserves the right to access any electronically stored information at any time in the service of its legitimate business interests.
In the normal course of system and information security maintenance, both preventive and troubleshooting, system administrators and service providers may be required to view files and monitor content on the CSU, SDSU, and SDSURF networks, equipment, or computing resources. These individuals shall maintain the confidentiality and privacy of information unless otherwise required by law or SDSURF/SDSU/CSU policy.
Personal messages and data on Research Foundation property are not to be considered confidential or private. Although employee passwords may be used for Research Foundation-oriented security reasons, the use of such passwords is not intended to assure employees that any messages or other communications generated by or stored on these systems will be kept confidential. Employees are therefore asked to exercise good judgment in using these systems.
Non-Research Foundation information such as personal credit reports, personal bank statements, or event contract information should not be stored on any Research Foundation systems, as the Research Foundation does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (the employee’s), but also to any third-party personal information (someone else’s).
All business records must be retained in accordance with SDSU Research Foundation’s record retention policies and are subject to public disclosure in accordance with the McKee Transparency Act.
Incidental Personal Use
Access to Research Foundation systems is provided solely to further Research Foundation’s business operations. Incidental and occasional personal use of Research Foundation resources is acceptable but must be no more than “de minimus” (e.g. must have so little value that accounting for it would be unreasonable or impractical). Such minimal and occasion incidental use must not violate applicable laws; must not interfere with the operation, maintenance or use of SDSU/Research Foundation information systems and assets; must not interfere with assigned duties; does not result in a loss to the Research Foundation or the University; and is not in pursuit of individual private financial gain or advantage. Non-work related messages and files should be saved in separate folder(s) from business records.
External Access / Communications
Under certain conditions, employees will need to communicate with external users electronically and/or over the internet. Employees are cautioned to exercise an additional level of discretion and sound judgment when communicating with third parties via these systems.
Employees should safeguard SDSU Research Foundation’s confidential information, as well as that of guests and others, from disclosure. Messages containing confidential information should not be left visible while you are away from your work area.
Employees should be aware that Internet sites maintain logs of visits from users. These logs identify the company and the individual who accessed the Internet website. If your work requires a high level of security, please ask your supervisor or an appropriate manager for guidance on securely exchanging e–mail or gathering information from Internet sources.
Mass mailings from Research Foundation must be for business purposes and shall be approved by the SDSURF Communications Officer or assigned delegates before sending.
Users should exercise good judgment in the use of e-mail distribution groups. These groups are intended for business purposes only.
Any employee found to have violated these guidelines or other provisions of this policy may be subject to disciplinary action, up to and including termination of employment. Any employee with questions regarding any of the above is encouraged to ask his or her manager, supervisor or the Research Foundation Human Resources office for clarification.
The Research Foundation reserves the right to temporarily or permanently suspend, block, or restrict access to information assets when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability, or functionality of Research Foundation information assets or to protect the Research Foundation from liability.
The Research Foundation may also refer suspected violations to appropriate law enforcement agencies.
Separation from SDSU Research Foundation
When an individual's affiliation with Research Foundation is ended, their access to SDSU Research Foundation information assets will be deactivated and all equipment must be returned.
* Note: Documents in Portable Document Format (PDF) require Adobe Acrobat Reader 9.0 or higher to view. Download Adobe Acrobat Reader