手册

I.政策和一般性声明

休斯顿大学德克萨斯大学健康科学中心（“大学”）依靠大学信息资源和大学数据来开展大学业务并实现大学的任务。必须适当地使用大学信息资源和大学数据，以确保其可用性并保留其诚信和机密性，以便大学可以符合其学术，研究和临床承诺和目标。beplay苹果手机能用吗联邦和州法律法规，德克萨斯大学系统（UT系统）政策和大学政策还需要适当使用并充分保护大学信息资源和大学数据。

所有用户都负责根据本政策适当地使用和保护大学信息资源和大学数据。在适用的范围内，本政策适用于参加远程学习计划和课程的学生。

Nothing in this policy supersedes or modifies箍201，知识产权,箍92，研究数据保beplay苹果手机能用吗留和访问, or any other applicable university or UT System policies or Regents Rules pertaining to the ownership of intellectual property.

II. DEFINITIONS

University Information Resources:由大学拥有或控制的所有计算机和电信设备，软件和媒体。

University Data:代表大学或创建的所有数据或信息。

用户：Any individual granted access to University Information Resources and/or University Data.

Confidential Data:All University Data that is required to be maintained as private or confidential by applicable law.

Peer-to-Peer File Sharing Software:计算机软件，除了计算机和网络操作系统以外，它具有允许使用用于传输的文件的计算机，直接将文件传输到并请求使用同一软件从另一台计算机传输文件。示例包括但不限于KaZaA, BitTorrent, Gnutella, eDonkey, eMule, Direct Connect, Vuze, Ares.

Virtual Machine:作为物理计算机执行程序的机器（即计算机）的软件实现。

III. PROCEDURE

A. Ownership and Access to University Information Resources; No Right to Privacy

Except as otherwise provided byHOOP 201,HOOP 92, the Long-Term Care Ombudsman Program policies and procedures, the Employee Assistance Program, or any other applicable university or UT System policies or Regents Rules pertaining to ownership of intellectual property, all University Information Resources and University Data are the property of the university and subject to this policy and all other applicable university and UT System policies. All University Data created and/or retained by a User are subject to this policy, even if created, stored, processed and/or transmitted on a User’s or another person’s personal computer, smart phone, email account, or other personal device or other non-university owned website.

All University Information Resources and University Data are subject to access and/or monitoring by the university and/or UT System without notice for any purpose consistent with the duties or mission of the institution including, but not limited to, responding to public information requests, court orders, subpoenas or litigation holds and conducting University Information Resource related maintenance, inventories and investigations related to the duties and missions of the university. To the extent a User has created, stored, processed and/or transmitted University Data on the User’s or another person’s personal computer, smart phone, email account or other personal device or other non-university owned website, the User must provide the university with access to that University Data upon request. The university does not assert an ownership interest in the content of exclusively personal information or documents stored on University Information Resources as part of a User’s Incidental Use, as defined in this policy. However, such information and documents may be subject to access and/or monitoring by the university as described above.

B. Guidelines for Use of University Information Resources and University Data

Users are required to formally acknowledge that they will abide by this policy. Users are also required to complete initial and recurring information security awareness training. Failure to agree to and abide by these requirements will result in termination of User’s access to University Information Resources and University Data.

用户必须向大学计算机安全中确定的任何弱点以及可能滥用或违反本政策的任何事件，以下一项：

• 这Information Security Department (它的@uth.tmc.edu或713-486-2227）;
• 这Help Desk (713-486-4848); or
• 这合规热线。

Users who fail to comply with this policy are subject to disciplinary action up to and including termination of employment, professional or business relationship, or dismissal from school. In some instances of non-compliance, civil remedies or criminal penalties may apply.

A User’s access may be disabled (via account or connection) at the university’s sole discretion if required security software is not installed on the User’s computer or device, or if activity indicates that the computer or device may be infected with a virus or malware, be party to a cyber attack or may otherwise endanger the security of University Information Resources or University Data. Access may be re-established once the computer or device is deemed secure by the Information Security Department.

1. General Practices

• 用户不得使用大学电子邮件帐户来发送可能包含计算机病毒，“链信”电子邮件或“广播”电子邮件的电子邮件（向大型组的无需电子邮件）。
• 不允许在电子邮件签名中使用引号，励志消息，幽默的单线等。
• 用户不得使用大学信息资源来：参与违反大学的使命和目的的行为；恐吓或骚扰其他用户；改变，损害或降低大学或其他信息资源的表现；或规避计算机信息安全保障。
• 不得将大学信息资源用于开展或促进个人业务，或为不属于UT系统的个人或组织的唯一利益。
• 淫秽、色情或其他令人不快的内容or topics intentionally accessed, created, stored or transmitted using University Information Resources is permitted only in the course of academic research as approved by the Institutional Review Board (“IRB”). The researcher must provide documentation of this aspect of the research to the Chief Information Security Officer (CISO) so that it can be included with the Internet logs that are regularly reviewed. Offensive materials include, but are not limited to, materials that might offend a reasonable person on the basis of their race, gender, age, national origin, sexual orientation, religious belief, disability or other status protected by law.
• 用户必须遵守美国版权法和软件版权合规政策（ITPOL-018）。用户不得下载，复制，复制或使用任何受版权保护的软件，包括电子媒体或文件（例如，电子书，音乐，照片和视频），除非软件许可证明确允许。用户不得在大学信息资源上使用未经授权的副本或复制品。有关版权的信息，包括合理使用，创建多媒体和其他主题，请查看UT System的版权速成课。
• 用户不得披露机密信息或其他将本身或一起将大学面临法律，声誉或其他损害的风险，包括物理或信息安全漏洞。

• 除非有权这样做，否则用户不得给人的印象是他们代表他们代表，发表意见或代表大学发表陈述。如果适当的话，用户应使用免责声明，说明所表达的意见是他们自己的，而不一定是大学的意见。
• Users may not use University Information Resources for the conduct or promotion of a personal business or political activity.

2. Incidental Use

• Users must use University Information Resources for university business only and not for personal use, except for appropriate Incidental Use in accordance with this policy.
• Users have no expectation of privacy with regard to personal information that they elect to store on any University Information Resource. The User’s university email accounts and other University Information Resources should not be used for personal email or other correspondence that is or may be considered confidential to the User or others.
• 偶然使用不得干扰用户作为员工职责的正常履行，或者在非雇员用户的情况下，授予用户访问大学信息资源的目的。
• 始终禁止访问或存储有性材料作为附带使用的一部分。
• Incidental Use is permitted by the User only and does not extend to family members or others.
• Storage on University Information Resources of any files, emails, documents, text messages, voice mails or other information for Incidental Use is discouraged. In any event, any such storage must be nominal.
• 该大学对任何个人文件，电子邮件，文档，短信，语音邮件或其他在大学信息资源上存储的信息不承担任何责任，这是用户附带使用的一部分。这样的存储有自身的风险。
• Personal information stored on University Information Resources may be subject to open records requests pursuant to the Texas Public Information Act and other applicable laws.
• 偶然使用绝不能导致大学的直接成本，使大学面临不必要的风险，也违反任何适用的法律或大学政策。
• 用户不得使用其大学电子邮件帐户发送个人商业广告，也不必须在大学网站上发布个人商业广告。

3. Email and Internet Use

• University provided email addresses and Internet designations are the property of the university.
• Employees must conduct university business using university email accounts rather than personal or non-university email accounts. Confidential Information contained in email must be encrypted.
• Users’ email and Internet activities are subject to logging and review for purposes related to the university’s mission and duties.
• Users must not use their university email address to subscribe to email lists or email services strictly for personal use.
• Users must not use university email for purposes of political lobbying or campaigning except as permitted by The University of Texas System Regents' Rules and Regulations.
• Users must not read another User's university email unless authorized to do so by the owner of the email account, as authorized for investigation, or as necessary to maintain services.
• 用户不得通过从该用户的大学电子邮件帐户发送通信来冒充其他用户的身份，除非电子邮件帐户的所有者授权这样做。
• Only the Office of Development, Office of Public Affairs or other designated positions at each school or unit are authorized to send university or school wide broadcast email.
• Emails sent or received by Users in the course of conducting university business are University Data that are subject to state records retention and security requirements.

4. Access to University Information Resources and University Data

• 访问大学信息资源和大学数据必须需要了解基础，并且必须使用特权最少的规则授予。所有用户必须只能访问他们执行工作职责所需的资源。
• Users must not deprive other Users of University Information Resources or University Data or obtain extra access to University Information Resources or University Data beyond those assigned.
• 除非授权，否则用户不得披露，修改，删除或破坏大学信息资源或大学数据。

5. 密码和访问代码

• Passwords and password use must comply with thePassword Policy (ITPOL-002)。
• 用户不得共享用于标识和授权目的的密码或类似信息或设备，例如数字证书，安全令牌或智能卡。每个用户都负责使用其帐户进行的所有活动，以访问大学数据和/或大学信息资源。
• Users must avoid entering their password through the use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software to access University Information Resources.

6. 大学信息资源和/或大学数据的安全和保护

本节适用于所有计算机和其他设备或系统，无论该设备还是系统是否归大学所有，都将维护大学信息资源或大学数据。

• 便携式设备必须根据便携式存储设备策略（ITPOL-001）andLaptop Security Policy(ITPOL-007)。
• Password protected screen locking must be enabled and set to activate within 15 minutes or less on all computers, laptops and portable devices, where technologically possible. Screen locks must be manually activated by the User when left unattended.
• Laptops, portable devices and media must be physically secured when unattended.
• 笔记本电脑硬盘驱动器，其他便携式设备和媒体必须按照便携式存储设备策略（ITPOL-001）andLaptop Security Policy (ITPOL-007)。
• 连接到大学网络的计算机和笔记本电脑必须受到当前，更新和运行的安全软件的保护，该软件包括病毒保护软件，可能包括防火墙，主机入侵保护或信息技术部指定的其他安全软件。不得禁止或绕过所需的安全软件，除非安装软件或其他需要临时禁用此类软件的特殊情况或程序。
• Users must not alter the configuration of any University Information Resource without authorization from the Information Technology Department. This includes, but is not limited to, adding, removing or modifying hardware, software or operating systems, including peer-to-peer file sharing software or virtual machines.
• 不得使用点对点文件共享软件，除非在开展大学业务以及由信息技术部门专门授权时使用。不得不正确地使用它，也不违反美国版权法或其他适用的法律或政策。当对等文件共享软件不正确或恶意配置或恶意使用或使用不当时，对安全漏洞的高风险呈现出很高的风险，并可能导致信息披露和/或信息丧失信息完整性，这些事件可能会严重降低大学信息资源的可用性和大学数据。
• Users must not download or use security programs or utilities that reveal or exploit weaknesses in the security of a system or that reveal information by circumventing established authorization procedures or controls, except as authorized by the CISO. Examples of such items include password cracking programs, packet sniffers and port scanners.
• 必须使用由大学或UT系统批准的远程访问方法来实现对大学或UT系统拥有或管理的网络的所有远程访问，如适用。

7. 机密信息

• 用户不得披露机密信息，除非需要根据需要完成授权的职能来支持大学业务的机密信息。
• 机密信息must be stored in Zone 100, the university’s network zone with the highest level of security. For circumstances in which university business requires that a User save Confidential Information to a portable device or media, it must be done in accordance with the便携式存储设备策略（ITPOL-001）andLaptop Security Policy (ITPOL-007)并遵守系统所有者可能已经通信的任何政策（请参阅箍175，第三（b）节）。用户应咨询信息技术部门，以确保采取适当的数据保护措施，以防止未经授权的披露和信息的可用性或完整性丢失。
• 必须使用大学电子邮件帐户发送必须发送电子邮件进行大学业务的机密信息，并且必须根据大学的加密可接受的加密策略（ITPOL-003）。
• 必须按照大学的秘密信息进行加密的机密信息可接受的加密策略（ITPOL-003）。
• 通过无线网络传输的机密信息必须使用批准的无线传输协议，并符合无线网络安全标准（ITPOL-015）。
• 使用商业云服务存储大学数据的用户必须使用大学提供或批准的服务，而不是个人获得的云服务。

IV. CONTACTS

• • IT Risk and Compliance Manager
  • 713-486-2219
  • itcompliance@uth.tmc.edu

---