Skip Navigation
Student Computing Policy Guide 2007-2008

JOHNS HOPKINS
INFORMATION TECHNOLOGY POLICIES

INTRODUCTION

Information technology continues to expand in use and importance throughout The Johns Hopkins University (JHU) and The Johns Hopkins Health System Corporation (JHHS), collectively "Johns Hopkins" and "JH". It is an indispensable tool for education, research, and clinical care, and plays a central role in the overall life of the Institution. The uses of information technology have changed dramatically over the last twenty years, and it is likely that the rate of change will accelerate in the future. For these reasons, it is critical that Johns Hopkins articulate a clear statement regarding the appropriate uses of our information technology resources and institute safeguards to ensure that our technology is secure, reliable, and available for the entire Johns Hopkins community.

These Policies have four primary purposes:
  1. To ensure compliance with all applicable federal, state, and local laws;
  2. To safeguard and protect all IT Resources from anything other than authorized and intended use;
  3. To provide protection to academic, clinical, financial, research, and all other systems that support the mission and functions of Johns Hopkins; and
  4. To address security issues of Availability, Confidentiality, and Integrity, as those terms are defined below.

E-mail and user accounts and their contents are generally considered private by JH, but neither this policy nor technology is able to guarantee privacy or confidentiality. Although it is not the routine policy of Johns Hopkins IT resource administrators or designees to view others' files, and although it is JH's intention to keep files private, Hopkins cannot guarantee privacy. Johns Hopkins reserves the right, and may be required, to access, copy, examine, and/or disclose all files, including e-mail messages and files stored or transmitted on, across or through Johns Hopkins IT Resources, in a number of circumstances, including: for safety, security, and/or legal purposes; as needed to maintain or protect its personnel, facilities, and not-for-profit status; as necessary to render network services; or in order to protect Johns Hopkins' rights or property. For these reasons, there should be no presumption of privacy or confidentiality concerning information stored on or transmitted across Johns Hopkins IT Resources.

Certain information (such as protected patient health information; certain student information; documents, e-mails and other information protected by the attorney-client privilege; and federal data subject to security classifications) is protected by law, and persons responsible for or who have access to such information are expected to be aware of and comply fully with the laws protecting such information. Nothing in these Policies is intended to affect in any way the confidentiality or protection of such data.

Johns Hopkins complies fully with all federal, state, and local laws, including the Digital Millennium Copyright Act. All legal questions should be directed to the JHU Office of General Counsel for the respective entity, school, or department involved

ENFORCEMENT

The failure to comply with any of these Policies may result in loss of access to some or all of IT Resources and/or loss of access privileges to IT Resources. In addition, violators of these Policies may be subject to criminal and/or civil penalties and to disciplinary action, up to and including termination/expulsion.

USE OF IT RESOURCES

Acceptable Use

Acceptable use of IT Resources is use that is consistent with Johns Hopkins’ missions of education, research, service, and patient care, and is legal, ethical, and honest; it must respect intellectual property, ownership of data, system security mechanisms, and individuals’ rights to privacy and freedom from intimidation, harassment, and annoyance; it must show consideration in the consumption and utilization of IT Resources; and it must not jeopardize Johns Hopkins' not-for-profit status. Incidental personal use of IT Resources is permitted if consistent with applicable JH and divisional policy, and if such use is reasonable, not excessive, and does not impair work performance or productivity.

Unacceptable Use

Unacceptable use of IT Resources includes, but is not limited to:

E-MAIL USE

The Johns Hopkins e-mail systems are used to support the mission of Johns Hopkins and to allow effective communication between faculty, staff, students, and business associates. These systems vary substantially in size, scope and sophistication. Policies and procedures regarding e-mail storage, back-up, and archiving also vary substantially across Johns Hopkins. In addition, there is no single e-mail archive system for the entire institution. Back-up, storage and archiving of important e-mail messages are the responsibility of each individual user.

E-mail transmission over the Internet is inherently insecure and subject to security breaches that include message interception, message alteration, and spoofing. Users of JH e-mail systems should not assume the confidentiality of any message that is sent or received via the Internet.

While the transmission and receipt of e-mail messages is generally reliable, timely delivery of time-sensitive information cannot be guaranteed.

Acceptable Use

Acceptable use of e-mail is use that is consistent with the JH Policy on Use of IT Resources.

Unacceptable Use

Unacceptable use of Johns Hopkins e-mail systems includes, but is not limited t

ANTI-VIRUS POLICY

Electronic viruses, worms, and malicious software are constant threats to the security and safety of computer networks and computing environments. These threats can be minimized by using protected equipment and practice of safe computer habits.

All devices vulnerable to electronic viruses must be appropriately safeguarded against infection and retransmission. Johns Hopkins has licensed anti-virus software for use by faculty, staff, and students. It is the responsibility of every user to ensure that anti-virus protection is current and effectively implemented. Infected devices may be blocked and/or removed from the JH Network by IT@JH or appropriate departmental personnel.

Effective anti-virus protection includes, but is not limited t

NETWORK SECURITY POLICY

It is Johns Hopkins policy to use appropriate tools and practices to protect the Johns Hopkins Network against intrusion and misuse. Network security requires the cooperation of the entire Johns Hopkins community. Misuse of the JH Network includes but is not limited to the following:

WIRELESS SECURITY POLICY

Wireless technology presents a number of unique security challenges. It is often difficult for a system or network to know the identity of a user establishing a wireless connection. This problem is exacerbated by the ease and low cost of deploying wireless access points. Accordingly, IT@JH has the responsibility to approve (or designate approval authority to appropriate entities or individuals) all wireless installations. Wireless policies are as follows:

ACCESS CONTROL POLICY

Many personal computer operating systems can be configured to allow access across the Internet and other networks. Users must make best efforts to ensure that their systems are configured so as to prevent unauthorized access. When remote access is allowed, special care must be taken to select safe implementation options and ensure that passwords and other access controls are respected.

Passwords.

When passwords are used for authentication, administrators should install password mechanisms that provide strong security while also aiding users with selection and management of strong passwords. In most systems, users are ultimately responsible for creating and protecting passwords that provide access to IT Resources. Password policy and management practices should reflect the nature and use of the application. The following are required policies with respect to mission critical systems and those that store, process or transmit Restricted information. In addition, these are recommended best practices for any system:

Like all other controls, password authentication should be deployed in layers. For example, Restricted information is sometimes stored in simple databases, word processing documents and spreadsheets, most of which can be protected by requiring password access. Unfortunately, password management for these files violate the standards above (i.e. only one password is assigned and it therefore must be shared among authorized users, no access logs are maintained, etc.) While password protection of this type is inadequate as the primary form of protection, it can still be an effective way to restrict access to a subset of users.

WORKSTATION AND DEVICE SECURITY POLICY

All members of the Johns Hopkins community share in the responsibility for protecting information resources for which they have access or custodianship. Users are responsible for protecting information resources to which they have access and must take steps to protect their desktop, laptop computers, PDAs or other devices from compromise either by external agents or members of the JH community. They must select operating systems and other software that is inherently securable, and modify default installation passwords and other configuration options to reduce vulnerabilities to a minimum. It is the user’s responsibility to ensure that security patches (software that fixes security vulnerabilities, often distributed by the vendors of the products with the vulnerabilities) are applied to their IT devices, or assure that an IT administrator installs current patches. Users must cooperate with and avail themselves, as appropriate, of security services provided by the JH.

Conclusion

The University recognizes that the needs of its clients are diverse. Providing a wide range of services for research and instruction necessarily entails a relatively unrestricted, flexible system and network organization. We depend on, trust, and request that our users practice considerate and responsible computing habits and adhere to common sense standards. As a member of the JHU community, you are responsible for staying informed of policy updates. The most recent version of this guide and updates are published at: http://jumpstart.jhu.edu

Disclaimer

The Johns Hopkins University cannot compensate users for degradation or loss of personal data, software, or hardware as a result of their use of University-owned systems or networks, or as a result of assistance from Student Technology Services or any other department of the University.

Policies Approved By:

Advanced International Studies
Arts & Sciences
Engineering
Nursing
Peabody Institute
Professional Studies in Business & Education
Public Health