Skip to main content
University Policies and Procedures

9.2 Information and Technology Acceptable Use Policy

Purpose

This policy establishes the responsible acceptable use of Illinois State University (ISU) information and technology (I&T) resources. Access to these resources is provided to support the University's mission and operations. Acceptance of this policy is a condition of activating and maintaining access to ISU I&T resources. 

Scope

This policy applies to the users of ISU I&T resources regardless of a user's affiliation or relationship with ISU. This includes, but is not limited to, campus visitors and event guests who connect to university networks. ISU reserves all rights and remedies to place appropriate policies, procedures, and controls to protect access, integrity, and function of I&T resources in the event I&T resources are impacted by individuals external to ISU who are not official users of I&T resources. This policy  applies to all uses of I&T resources, regardless of the user's physical location or the network from which they are connecting. 

Laboratory Schools

The university's Thomas Metcalf School and University High School each maintain a separate Technology Acceptable Use Policy that addresses student use of technology within the K-12 environment, including provision for parental consent. Those policies govern student use of Lab Schools-specific I&T resources and related instructional activities. Where those policies do not address a specific topic covered by this policy, this policy applies as the university-wide standard. Lab Schools faculty, staff, and administrators remain subject to this policy in their capacity as university employees for their use of university I&T resources. 

 Definitions

User: Any individual who has been officially granted access to Illinois State University (ISU) Information and Technology (I&T) resources. This includes, but is not limited to, students, faculty, staff, contractors, and other affiliated persons or entities who utilize ISU I&T resources for educational, administrative, research, or other sanctioned university activities. 

Information and Technology (I&T) resources: The tools, systems, and equipment provided, managed, or operated by ISU to facilitate the creation, management, storage, communication, and processing of information. These resources include tangible assets like computers, networking hardware, and peripherals, as well as intangible assets such as software, databases, cloud-based services, and data itself. Technology resources also encompass the infrastructure and platforms that support the delivery and operation of these tools, along with the human resources and knowledge required to develop, maintain, and use technology effectively. 

Information: Any data, records, or content, whether in digital or physical form, that is created, received, maintained, or transmitted within the University. In its digital form, information is represented as data, which may include but is not limited to text, images, audio, video, and other digital formats. Information also includes but is not limited to printed or handwritten documents, forms, and other physical records used for educational, research, administrative, or personal purposes within the University environment. 

Software: Any set of programs, applications, or instructions that operate on computers, mobile devices, or other digital platforms. This includes, but is not limited to, operating systems, desktop and mobile applications, utilities, and websites. Software may be installed on University-owned or manages devices, accessed online, hosted in the cloud, or accessed using personal devices. It encompasses both commercial and custom-built programs used for educational, research, administrative, and personal purposes within the University environment. 

Accounts and access credentials: The various authentication and authorization mechanisms provided to users to facilitate their authorized access to ISU I&T resources. This encompasses, but is not limited to, primary University Login ID (ULID) accounts, secondary accounts for privileged system roles, sponsored accounts for guests and contractors, service accounts, security group memberships, passwords, passphrases, personal identification numbers (PIN)s, physical security devices, and other methods that ensure secure access and proper authorization within and to ISU I&T resources. 

Compromised Account: An account or set of access credentials that is reasonably suspected to have been accessed or used by an unauthorized individual. 

Data Breach: A specific type of information security incident in which unencrypted personal information is acquired by an unauthorized person, as defined by the Illinois Personal Information Protection Act (PIPA). 

Click-through agreement: Any terms and conditions, including but not limited to terms of service, end-user license agreements (EULAs), or similar contracts, that are presented to a user during software installation, account creation, or access to an online service and require acceptance (typically by clicking "I Agree" or similar) as a condition of use. Click-through agreements may constitute binding legal contracts. Some click-through agreements include language that binds the organization the user represents, not just the individual user. 

Unacceptable Communication Examples: Terms from the General Use section shall, for the purposes of this Policy, be defined as follows:

  1. Fraudulent communications: Any communication sent under an assumed name or modified address, or with the intent to obscure the origin of the communication. 
  2. Unethical communication: Any communication in violation of the State Officials and Employees Ethics Act, as determined by the University Ethics Officer. 
  3. Breach of the Peace: Any communication that intentionally or recklessly threatens or endangers the health or safety of any person, or intentionally or recklessly creates in such person a reasonable fear that such will occur, including but not limited to, an individual being fearful of bodily harm/experiencing mental anguish. 
  4. Financial Gain: Any use of I&T resources as the primary means of conducting, promoting, or advertising a personal commercial enterprise. 

Policy 

All users must follow this policy governing the responsible, ethical, and acceptable use of ISU's Information and Technology (I&T) resources.

  1. General Use 
    1. Core Principles
      1. Users shall access and utilize I&T resources responsibly, ethically, and in a manner that supports the University's mission. 
      2. I&T resources are intended for educational, research, public service, administrative, and other authorized University purposes. 
      3. University-supplied identifiers assigned to accounts and access credentials, including but not limited to a user's University username, email address, and ID numbers, are the property of the University and may be changed or revoked at any time. 
      4. Users shall adhere to I&T standards ad guidelines established to maintain the performance, integrity, and availability of I&T resources. 

          2. Legal and Policy Compliance

      1. Use of I&T resources must comply with all applicable federal and state laws, as well as all University policies, procedures, and guidelines. 
      2. Users shall observe copyright, intellectual property rights, terms and conditions of any University software license, and any University conditions or limitations applicable to the use of specific I&T resources. 
      3. Users shall not enter into any "click-through" or negotiated agreement that bind the University unless they have been granted specific contract authority to do so under University Policy 7.1.40. Users without such authority are prohibited from accepting terms and conditions on behalf of the University, regardless of whether the product or service is free or paid. 

          3. Prohibited Communications and Activities

      1.  Users are prohibited from engaging in any communications or activities using I&T resources that violate state or federal law, or University policies. This includes, but is not limited to, communications that are threatening, incite imminent lawless action, or are obscene as constitutionally defined. Furthermore, strictly prohibited conduct included fraudulent or unethical communications, breaches of peace, communications in violation of the State Officials and Employees Ethics Act, use of resources for financial gain, and illegal activities such as copyright infringement, harassment, fraud, or unauthorized security breaches. 

            4. Third-Party Access

      1. Any third-party services, vendors, or external partners granted access to I&T resources are required to comply with all applicable University policies and security standards. 

             5. Use of Artificial Intelligence (AI)

      1. The use of AI tools must comply with all other university policies, including those related to academic integrity, research ethics, and intellectual property. 
      2. Users are responsible for the accuracy and ethical implications of content generated using AI tools in their work or academic pursuits. 
      3. The use of AI tools must comply with all provisions of this policy. Additional university-wide guidelines or policies on the use of Artificial Intelligence may impose further requirements. 
      4. Users should be aware that AI-generated content may contain copyrighted or otherwise protected material; users bear responsibility for verifying the originality and legality of such content before using it in university work. 

             6. User Awareness and Training 

      1. Users are required to familiarize themselves with this policy and to complete any university-mandated training related to the acceptable use of I&T resources. 

 B. Secure Use

  1. Account and System Integrity
    1. Users shall safeguard their accounts and access credentials and must not share them with others. 
    2. Users must not exploit system vulnerabilities or unauthorized methods to damage, obtain, use, access or disclose or share ISU I&T resources without proper authorization. 
    3. Users are responsible for taking reasonable measures to protect the physical security of any University-provided I&T resources in their possession.  

    2. Data Protection and Handling 

    1. Users shall exercise caution and discretion when transmitting or storing sensitive or personal information, as electronic systems are inherently vulnerable to unauthorized breaches. 
    2. Unauthorized access, disclosure, or acquisition of data required to be maintained as confidential under Policy 1.10 Security and Confidentiality of Data and Information is strictly prohibited. 
    3. Users are individually responsible for understanding the sensitivity of the information they access and handle and must manage that information in strict accordance with the University's 9.8 Information Security Program Policy and 9.8.1 Data Classification Procedure. 
    4. Users must not use Artificial Intelligence (AI) tools to process university data unless the AI took has been authorized by the University for that data's classification level. 
    5. Users have a responsibility to promptly report any suspected information security incident (such as a data breach, a compromised account, or a lost or stolen device) to the Information Security Office at informationsecurityoffice@illinoisstate.edu.

       3. Device and Network Access 

    1. Users who access or store university data on personally-owned devices are required to secure those devices in accordance with university information security standards, including but not limited to, password protection, encryption, and timely security updates. 
    2. The University reserves the right to manage, and if necessary, remotely remove university-manage accounts and university data from a personal devices in the event the device is lost, stolen, or otherwise compromised. This right applies only to institutional data and services accessed through university-manage applications or accounts. The University will not access, search, or inspect personal data, applications, or files on a user's personal device outside of university-managed resources. 
    3. Users must adhere to all applicable Information Security Standards and Conditions of Access, including when using any device to connect to university resources. 

      C. Personal Use

    1. Limitations and Conditions
      1. Personal use of I&T resources must be incidental, limited in time and resource consumption, and must not interfere with official duties or the University mission. 
      2. Personal use by University employees must also comply with the State Officials and Employees Ethics Act, including its prohibitions on political activities. 
      3. University units and direct supervisors reserve the right to impose additional limitations on personal use of I&T resources in accordance with area, departmental, or operational needs. 

           2. Prohibited Personal Activities 

      1. Personal use of I&T resources shall not involve promotion, solicitation, commercial gain, profit, or advertisement. 
      2. Personal use may not in any way that implies University sponsorship or endorsement of that use. 

           3. Personal Software on University Resources 

      1. Personally licensed software may be installed on University-provided I&T resources if approved by the employee's Vice President or their designee, complies with University policies, does not interfere with official duties, and is properly licensed to the individual. 

   D. Information Privacy and Security 

    1. System Limitations and University Position 
      1. The University implements reasonable and appropriate administrative, technical, and physical safeguards to protect user privacy but cannot guarantee the security of information maintained, transmitted, or stored using I&T resources. 

            2. University Rights 

      1. The University's I&T resources are institutional assets. The University reserves the right to access, monitor, and inspect these resources as necessary to ensure their security, integrity, and operational effectiveness and to comply with legal and policy obligations. Use of I&T resources does not create an expectation of privacy that would prevent the University from exercising its rights under this section. The exercise of this right shall be conducted in accordance with applicable law and University procedures. Any such access shall be limited in scope to what is reasonably necessary for the stated purpose. 
      2. Access to I&T resources for the purpose of investigation the conduct of a specific individual is further subject to the procedures governing the applicable type of investigation, including those governing student conduct, employment actions, and ethics investigations.
      3. The rights described in this section apply to university-owned or university managed systems, accounts, and network infrastructure. They do not extend to personal data, applications, or files on a user's personal device outside of University-managed resources. The University;s commitment to upholding FERPA, constitutional protections, principles of academic freedom, and the civil liberties of all individuals applies to any exercise of these rights. 

           3. University Commitment

      1. The University's use of I&T resources will not endanger the civil liberties of any individual. 

           4. Public Records (FOIA)

      1. As a public institution, information and records created, received, or stored on University I&T resources may be subject to public disclosure under the Illinois Freedom of Information Act (FOIA) or as otherwise required by law. 

    E. Violations and Enforcement 

    1. Reporting and Cooperation 
      1. Users should report suspected misuse of I&T resources or violations of this policy (such as harassment, prohibited communications, or copyright infringement) to abuse@ilstu.edu.
      2. Users accept individual responsibility for all violations that occur from or with their use of I&T resources. 
      3. Users should cooperate fully with investigations of alleged I&T misuse. 

            2. Consequences 

      1. Violations of this policy may result in charges pursuant to the University's Code of Student Conduct; disciplinary action, including but not limited to suspension or revocation of access, discharge, termination, or dismissal; and/or legal consequences under civil or criminal law. 
      2. Violations of this policy are investigated and adjudicated in accordance with 9.2.1 Procedures for Appropriate Use Violations, which defines the complaint process, referral offices by university affiliation, and the University's response to reported violations. Users are encouraged to review that procedure for details on how violations are handled, including escalation for serious or repeated offenses. 

Review and Approval 

This policy will be periodically reviewed by the Chief Information Officer and Chief Information Security Officer. Following this policy review, any recommended changes will be presented to the Academic Senate for its consideration and approval in accordance with shared governance. Final approval of the policy rests with the President of the University. Information and technology resources and their uses change rapidly, and the University reserves the right to amend this policy at any time. The University reserves the right to require users to periodically review and re-acknowledge their acceptance of this policy as a condition of continued access to I&T resources.    

Related Policies

The following related policies are referenced in or relevant to this policy. Users should consult these policies for requirements that may apply in conjunction with this Acceptable Use Policy. Where another policy addresses a specific subject (e.g., academic freedom, academic integrity, contracting authority), that policy governs the specific subject matter. 

1.2 Anti-Harassment and Non-Discrimination Policy

1.8 Integrity in Research, Scholarly, and Creative Activities

1.12 State Officials and Employees Ethic Act (SOEEA)

1.7 University Use of Electronic Equipment for Surveillance Purposes 

1.10 Security and Confidentiality of Data and Information

2.1.1 Student Records 

5.1.19 University Violence 

3.3.13 Academic Freedom

7.1.40 Contracting 

9.8 Information Security Program Policy 

9.4.10 Procedures for Minimum Retention Times of Electronic Stored Information 

9.5.3 Electronic and Information Technology Accessibility Policy 

9.8.6 Procedures for Information Technology Security Incident Reporting

Thomas Metcalf School Technology Acceptable Use Policy 

University High School Technology Acceptable Use Policy 

9.2.1 Procedures for Appropriate Use Violations 

Code of Student Conduct 

 

Documents Details

Date of Initial Publication: August 1997

Date of Last Review: December 2011

Date of Last Revision: June 2026

This policy supersedes and replaces the "9.2 Policy on Appropriate Use of Information Technology Resources and Systems" (last review December 2011). All references in University documents to the pervious policy or the "Appropriate Use Policy" shall be construed to refer to this policy.