Responsible Use: Computing Privileges Revocation

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

Effective: November 15, 1993

The Department of Information Technology and Communication (ITC) is neither an investigative nor a disciplinary entity in its primary responsibilities. However, in cases where University resources and privileges are abused or otherwise threatened, the department will take appropriate steps. The following is a procedure for action in such instances. The procedure applies only in cases involving ITC-owned or managed equipment. It does not apply to violations by ITC employees, which are covered by other processes.

  1. ITC system administrators may revoke network access at any time to safeguard University resources and protect University privileges, as explained in the University-wide Computer Usage Policy, also known as the Ethics in Computer Usage statement. Such revocations will be for a maximum of one month, pending review by a committee appointed by the Vice President and Chief Information Officer (VP/CIO) of the University or his or her representative. This committee will report its decision to the VP/CIO; a request for review and/or appeal of the decision may be made to the VP/CIO.
  2. The review committee appointed by the VP/CIO will include: at least one representative each of the instructional faculty, students, and classified staff, usually drawn from the membership of advisory committees to the Department of Information Technology and Communication or from ITC staff; the Director for Security Coordination and External Relations; and staff from the Vice President for Student Affairs Office.
  3. The committee's duties include reviewing interim revocations by system administrators, extending such revocations to longer terms as it sees fit, and imposing sanctions in response to complaints it has received through the office of the VP/CIO. The committee bases its judgments on the University-wide Computer Usage Policy. The committee is also responsible for communicating the results of its review of such matters to appropriate authorities, generally the Vice President and Provost or the Vice President and Provost for the Health Sciences for faculty, the Vice President for Student Affairs for students, and the Director of Employee Relations for classified staff. If a person whose privileges have been revoked then violates the conditions of the revocation, the next step of enforcement falls with those University officers. For example, a student who violates conditions of revocation risks charges under the student Standards of Conduct, especially Standard 12. Similar disciplinary mechanisms (beyond those of ITC) exist for faculty and classified staff.
  4. As noted earlier, cases involving immediate threats to University resources and privileges may lead to interim action by ITC system administrators. System administrators or others (both within and beyond the University community) may lodge complaints against individual users whom they believe to have violated the University Computer Usage Policy. Those complaints will be made in writing or by e-mail to the VP/CIO at abuse@virginia.edu. ITC staff (coordinated by the VP/CIO) will assemble information about any case (either based on a complaint or on interim revocation of privileges by a system administrator) and will provide it to the committee.
  5. The process for assembling information is as follows:
    1. A complaint or a notice of interim revocation by a system administrator comes to the VP/CIO's office in writing or by e-mail. The VP/CIO will review the matter to see if the alleged violation appears both intentional and serious enough to warrant committee review. If not, the matter ends here.
    2. The VP/CIO notifies the accused violator of the complaint in writing. That notice offers the accused violator the opportunity to provide a written response within a time limit (generally five working days) specified in the notice. The VP/CIO asks appropriate ITC staff and other University personnel to provide any additional information that would be useful in evaluating the case. The VP/CIO then gives the material to the committee, which makes its decision by majority vote on the basis of the records available. No hearing is involved.
    3. The accused violator is informed in writing of action taken. Copies of that notice are made for inclusion in the accused violator's file as noted in Section 2 (above). Appeals of the committee's decision may be made to the VP/CIO.
  6. Sanctions that can be imposed by the committee range from a letter of warning to permanent revocation of network access. The committee will base the sanctions on the degree of potential harm created by the act and the degree of intent in the act, among other factors.
  7. In any question of overlap to another disciplinary or law enforcement process, this process will defer to the other. In such cases, interim revocations by system administrators may remain in effect until the other process has been completed.

Revisions: July 22, 1996; June 19, 1997; May 1, 2000

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.