Acceptable Use Policy

Purpose and Scope

Bentley University’s data and information systems are valuable assets that must be protected. Proper and acceptable use of information technology (IT) assets and data will mitigate risks associated with malware attacks, network and system compromises, and data breaches. This Acceptable Use Policy (AUP) applies to the use of Bentley’s IT assets, including applications, networks, devices, and business systems, whether owned or leased by Bentley, the user, or a third party. All faculty, staff, contractors, consultants, temporary employees, undergraduate and graduate students, and guests (“users”) of Bentley’s devices, networks, and systems must act in a responsible and ethical manner to protect Bentley’s systems, information, and reputation. It is expected that all users be familiar with and stay current with this policy.

Definitions

• Acceptable Use is the use of information assets (IA) and information technology (IT) resources that is expressly permitted by Bentley University.
• Breaches include incidents that result in unauthorized access of data, applications, services, networks, and/or devices by bypassing their underlying security mechanisms.
• Disruption includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
• Information Technology (IT) encompasses any computing or electronic device related to information assets (e.g., computers, mobile devices, servers, network resources, and IT/security tools).
• Personally Identifiable Information (PII) is an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person’s: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number that would permit access to an individual’s financial account. This does not include publicly available information, or government records lawfully made available to the general public.
• Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that is created or collected by a covered entity and can be linked to a specific individual. This can be interpreted broadly and includes any part of a patient’s medical record or payment history.
• Phishing is an email-based deception used by criminals to gain access to money, information, and computer systems. Phishing is a type of social engineering. Most phish push you to click a link, open a document, reply, log into an account, and/or confirm sensitive information.

General Requirements

Bentley University has critical technology and data dependencies for day-to-day operations and strategic goals. General obligations related to the acceptable use of IT assets are as follows:

1. At all times, users must protect Bentley IT assets and data (regardless of where it is stored or how it is accessed) consistent with the requirements set forth in Bentley University policies and procedures;
2. Users must always protect their credentials (username/password); see the password section below for more details;
3. Users must not download Level 1 or Level 2 data to unauthorized locations (e.g., non-Bentley cloud or non-Bentley laptop/desktop, USB devices or portable media) or disclose to unauthorized individuals, systems, or entities (e.g., highly confidential, financial, personally identifiable information, personal health information). See a supervisor if you have questions. Reference the Data Classification Policy;
4. Independent businesses may not be developed or run using university computing/networking resources unless it is a sanctioned campus organization and/or part of academic programs (e.g., service-learning, scholarship fund raising). Bentley University reserves the right to remove, without warning, unapproved commercial activities;
5. Faculty, staff, and students are expected to maintain accurate data (e.g., date of birth, address, Social Security number) when updating personal information on any of Bentley’s administrative and instructional databases;
6. Users are expected to report potential information security incidents to the Help Desk X2854 / helpdesk@bentley.edu. Validated incidents will be escalated to cybersecurity@bentley.edu;
7. Those who discontinue the use of personal devices for work purposes, or who leave Bentley’s employment, must have a Bentley IT employee remove business content and disable Bentley-provided software on those devices. These users must also return Bentley-owned devices to their manager or to a Human Resources (HR) representative;
8. The following are examples of activities that are strictly prohibited while utilizing Bentley information assets and technology, which list includes but is not limited to:
   1. Promoting and/or facilitating illegal activities; including but not limited to: identity theft, hacking, fraud, child pornography, and/or copyright violation;
   2. Unauthorized access, duplication, alteration, modification, or destruction of Bentley data, systems, configurations, and resources;
   3. Devices may not be used at any time to harass, retaliate towards others, or discriminate based on race, national origin, sex, sexual orientation, gender identity, gender expression, age, disability, religious beliefs, or any other characteristic protected by law. This includes any behaviors that violate the university’s Code of Ethics, Online Misconduct policy, Code of Conduct, and/or other harassment policies;
   4. Violations of academic integrity and/or the rights of the university or any person. This includes, but is not limited to selling papers, unauthorized copying of copyrighted material, use of Artificial Intelligence/Large Language Model generated content without prior approval, and installation or distribution of pirated and/or software products that are not properly licensed for use by the user and/or Bentley University;
   5. Use of technology resources (e.g., a smartphone) to record conversations, lectures, or classroom interactions without the express consent of those individuals being recorded;
   6. Tampering with or changing anti-virus, firewall, or other security-related computer settings;
   7. Installing prohibited software;
   8. Deliberate introduction of malicious programs onto Bentley systems (e.g., virus; worm; keystroke logger);
   9. Causing or contributing to security breaches or disruptions of network communication. Examples include:
      • Excessive use of systems or network capacity for personal gain/benefit, accessing data without authorization, and logging into a server or account without authorization;
      • Interfering with or denying service to any other user, host, or Bentley system;
      • Using a program, script, or command, or sending messages with the intent to interfere with or disable a user’s session locally or via the Bentley University network.
   10. Making fraudulent offers of products, items, or services originating from any Bentley University account and/or making statements about warranty, express or implied;
   11. Exporting software, technical information, encryption software, or technology that may violate international or regional export control laws. (Consult legal counsel if you have questions on this topic.)

Note: The above list is not comprehensive, but rather a means to provide a framework for activities in the category of unacceptable use. Certain users may be exempted from specific restrictions during the course of legitimate job responsibilities (e.g., systems administration staff may be required to disable the network access of a host).

Passwords and Systems Access

To gain access to Bentley’s network, systems, and data, authorized users are given credentials (ID and passwords). It is expected that users will follow these password requirements, applicable to individual, system, and application credentials:

1. Users are accountable for all activities associated with their user IDs and passwords (credentials);
2. Users should never use their Bentley network password with non-Bentley applications and/or websites, such as shopping and banking sites;
3. Users should never use Bentley privileged or administrative credentials on personal devices to make changes or updates to Bentley systems.
4. Users must change their passwords upon initial login and/or when required (e.g., expiration or a password reset by the Help Desk);
   1. Users must change their passwords if they suspect a compromise (e.g., shoulder surfing, phishing);
   2. Users may be requested to change passwords by an IT Staff member if there is indication that credentials may have been compromised;
5. IT Staff may force a password reset or disable the user account with or without the consent of the end user in the event of a compromise or active threat;
6. Users must keep their passwords secure and confidential. Sharing credentials is prohibited;
7. Users are prohibited from attempting to circumvent authentication and/or security of any computer, host, network, or application account;
8. Users are encouraged to use strong passphrases that meet the Bentley University minimum password requirements;
9. Users are required to enroll in multi-factor authentication.

Phishing and Email Use

All users must be cautious when opening email. A valid-looking email may be a phish. A phish is a fake email that looks real. Users should beware of emails that engender feelings of urgency, fear, strong curiosity, and exceptional opportunity. Users should report suspicious phishing emails by forwarding the email to phishbowl@bentley.edu or the report button - see: https://www.bentley.edu/offices/it/phish-bowl. Note: Bentley will never ask users for their Bentley credentials via phone, text or an email/email link.

Below are requirements related to emails and phishing which users should follow. See also the Email Policy.

1. Emails sent or received by users while conducting university business are considered Bentley data, subject to records retention and security requirements. See the Records Retention Policy.
2. When conducting university business, users are to use university-provided email accounts, rather than personal email accounts;
3. Incidental/personal use of email should not interfere with Bentley’s email system;
4. Email distribution lists are university property. Distribution lists may only be provided to external third parties in conjunction with legitimate academic or administrative initiatives and only after obtaining approval from a division head;
   1. Under no circumstances may university distribution lists be sold to an external party, nor may the lists be used for individual gain (e.g., marketing a product or service);
   2. Employee use of distribution lists for surveys is allowed for legitimate academic or administrative purpose.
5. The following email activities are prohibited when using a university provided email account:
   1. Soliciting for political, religious, or business ventures not directly affiliated with official university activities;
   2. Transmitting information that is false, derogatory, profane, or sexually explicit;
   3. Sending or circulating harassing materials (e.g., threats or offensive remarks about race, ethnicity, gender identity, or sexual orientation);
   4. Sending an email under another individual’s name or email address, except when authorized to do so by the owner of the email account for a work-related purpose;
   5. Attempting to disguise the identification or origin of the e-mail;
   6. Accessing the content of another user's email account except as part of an authorized investigation, approved monitoring process, or official university duty;
   7. Sending or forwarding any email suspected to contain computer viruses or other malicious material, except to IT for remediation;
   8. Sending or circulating unwanted/uninvited spam emails and email chain messages (i.e., messages sent with the expectation that the recipient will forward them).

Internet Use

Users accessing the internet through Bentley’s network and/or on a Bentley device should do so in a manner that supports business operations and does not interfere with Bentley’s business or infringe on the rights of others. The following are examples of inappropriate internet use:

• Any illegal activities, illegal gambling, or viewing of illegal content;
• Copyright infringement when downloading or file-sharing/swapping;
• Hacking or unauthorized access;
• Accessing pornographic/adult services sites;
• Running a sideline internet business without an approved exception to this policy (conflict of interest).

With CIO/DCIO/CISO approval, the IT department may block access to internet websites and protocols that are deemed malicious to the Bentley University environment. The IT Department will periodically review and implement changes to web and protocol filtering rules. If a site is miscategorized, users may request the site be unblocked by submitting a service request to Help Desk X2854 / helpdesk@bentley.edu, which will be assigned to a Network/Security Engineer for review.

Remote Access / Personal Devices (BYOD)

Bentley University permits the use of personally owned devices (e.g., bring-your-own-device (BYOD)) to perform work for or on behalf of the university in certain circumstances. 

Remote Access – IT provides secure remote access technologies (e.g., VPN) for authorized users to access certain university network and internal resources. VPN or remote access for privileged or administrative accounts is ONLY permitted on Bentley owned devices, not on personal devices. All remote access to networks owned or managed by the university must be accomplished using a remote access method approved by the university.

When accessing web applications and/or using personally owned devices (BYOD), it is expected for users to adhere to these requirements:

1. Non-Bentley devices used to connect with Bentley University data and systems must meet minimum system requirements including, but not limited to:
   • Password protection
   • Encrypted
   • Multifactor authentication
   • Up-to-date anti-virus protection and anti-malware protection
   • Supported web browser and operating systems
2. Level 1/Highly Confidential data or Level 2/Sensitive data must NOT be downloaded or stored on non-Bentley managed devices. Reference the Data Classification Policy.
3. Work data must not be merged with the Bentley users’ personal data, nor accessed by unauthorized individuals.
4. Never share Bentley data and applications with unauthorized persons.
5. Users must report lost or stolen devices to Bentley’s Help Desk or helpdesk@bentley.edu within 24 hours. Users are responsible for notifying their mobile carrier immediately upon loss of a device.
6. The following are risks, liabilities, and disclaimers for using a personal device with Bentley’s systems:
   1. University data created and/or stored on non-university devices and databases should be transferred to Bentley resources as soon as feasible;
   2. Bentley reserves the right to disconnect devices or disable services without notification;
   3. The employee is expected to use their devices in an ethical manner while on Bentley’s network;
   4. The employee is personally liable for all costs associated with their device;
   5. When an employee leaves the university, all Bentley data should be deleted from user’s personally owned devices;
   6. The employee assumes liability for personal losses resulting from non-compliance with Bentley policies. This includes, but is not limited to, the partial or complete loss of company and personal data due to an operating system crash, malware, and/or other software or hardware failures.

Social Media

Social media provides users with a means to communicate broadly with the public. Activities that violate the university’s policy against harassment or constitute an invasion of individual privacy undermine the environment that the university seeks to maintain. These actions may result in the imposition of sanctions for violation of university policy. Additionally, untrue statements of fact that harm another’s reputation may be defamatory or libelous and may subject the individual making such statements to legal action.

Access and Privacy 

The university has the legal right to access, preserve and review all information stored on or transmitted through its electronic services, equipment, and systems (collectively, “IT Systems"). The university endeavors to afford reasonable privacy for individual users and does not access information created and/or stored by individual users on its IT Systems except when it determines that it has a legitimate operational need to do so. Approval from two Bentley vice presidents is required before accessing an employee’s email data and/or systems.

Enforcement

Bentley information technology and assets may be audited and/or monitored for unauthorized activity and usage. Certain kinds of data and IT fraud are illegal and punishable by civil sanctions, criminal fines, and/or imprisonment. The university is obligated to report instances of illegal activities to authorities and will cooperate with authorities in the investigation of illegal activities.

Bentley University reserves the right to require the registration of all technology-related devices used on campus, regardless of whether the device is owned by the institution or an individual. Bentley will identify and quarantine devices suspected of adversely affecting the network; employ tools to monitor network-related activity; and may restrict or eliminate bandwidth allocation to specific devices.

Employee violations will be handled by the employee's supervisor, in conjunction with Human Resources. Student violations will be referred to the Student Affairs judicial process or Bentley’s academic integrity process, or both.

Bentley University reserves the right to change provisions of this and other university policies periodically and will provide written notice of substantive changes. Bentley University may take disciplinary action up to and including termination of access, ending of contracts, legal action and/or dismissal of individuals not in compliance with this policy.

Exceptions

Bentley’s Chief Information Officer (CIO) maintains authority over, and enforcement of, the AUP and related policies. Requests for exceptions to this policy may be submitted to the cybersecurity@bentley.edu mailbox.

Related Policies and Procedures

The Acceptable Use Policy is one of several university policies and procedures. All university data is classified within security levels, with usage requirements based on data levels. For full details see the university’s  Data Classification Policy . In addition, any individual who handles credit card information on behalf of Bentley University is subject to Bentley’s Payment Card Policy which supports the Payment Card Industry Data Security Standard (PCI-DSS). Employees or contractors who process certain types of financial information are also bound by the Financial Services Modernization Act (GLBA) Policy, and may include specific laws, such as: Family Education Rights and Privacy Act (FERPA), and Global Data Protection Regulation (GDPR). The requirements and responsibilities articulated in this policy are embodied in numerous Bentley policies and procedures, including, but not limited to:

Contacts and Web Resources

For immediate reporting of a possible cybersecurity incident, contact the Help Desk at X2854 or helpdesk@bentley.edu .    For a confirmed cybersecurity incident, an IT risk concern, and/or to submit a request for a policy exception, contact the Cybersecurity Office at cybersecurity@bentley.edu or reach out to the CISO, David Norman .

Revisions