Skip to main content
Guest homePolicies and Procedures home
Information Services

Acceptable Use of Network and Computing Resources at the Art Institute of Chicago and the School of the Art Institute
Policy No. 051
The Policy Applies to: All AIC and SAIC Employees
Title of Policy Owner: Chief Information Officer
Department: Information Services
Approval: Chief Information Officer
Revision Date History: February 22, 2016
Originally Issued Date: July 1, 2009
Refer Questions to: policyquestions@artic.edu
Printer Friendly Version: Click Here

The Art Institute of Chicago (AIC), encompassing both the museum and the School, provides access to local, national and international networks as well as computing resources in order to support its mission and goals.

General Principles

Access to network and computing resources owned or operated by the AIC imposes certain responsibilities and obligations and is granted subject to all AIC policies as well as local, state and federal laws. Acceptable use should always be legal and ethical, reflect academic honesty, show restraint in the consumption of shared resources, and reflect community standards. It should demonstrate respect for intellectual property, ownership of data, system security mechanisms, and individuals' rights to privacy and freedom from intimidation and harassment based on race, gender, sexual orientation, disability, national origin or any other status protected by law.

Guidelines

There are responsibilities that must be met as a part of the privilege to access network and computing resources. These include, but are not limited to, the following: You must not:
  1. Use resources to engage in unlawful activities, including sending discriminatory or harassing remarks or content or threats of violence.
  2. Allow other individuals to use or fail to protect your assigned accounts (user ids), passwords and access assigned to you.
  3. Access or attempt to access another user's accounts, passwords, computers, data, files, or e-mail without authorization.
  4. Misrepresent yourself or attempt to circumvent any data protection or network security measures.
  5. Use network resources to gain or attempt to gain unauthorized access to remote computers.
  6. Attach any equipment, including wireless access points, or install any software that could potentially impair the performance, integrity or security of any AIC computers, networks or data.
  7. Attempt to decode passwords or data or to monitor another user's communications.
  8. Deliberately perform an act that interferes with the operation of computers and/or network traffic.
  9. Engage in any activity that could be purposely harmful to systems or information such as creating or propagating viruses, disrupting services, damaging files, or making unauthorized modifications to data.
  10. Use resources for commercial profit-making purposes without authorization.
  11. Use resources for political purposes that are incompatible with AIC’s non-profit status.
  12. Perform acts that unfairly monopolize resources to the exclusion of other authorized users.
  13. Violate the terms of any software licensing agreements and copyright laws.
  14. Infringe any copyright, including the unauthorized and infringing distribution of copyrighted materials through unauthorized peer-to-peer file sharing.
  15. Engage in any other activity that does not comply with the General Principles presented above.

Enforcement

The AIC considers any violation of acceptable use principles or guidelines to be a serious offense. The AIC reserves the right to copy and/or examine any files or information resident on AIC resources allegedly related to unacceptable use. In cases of misuse or abuse which involve an immediate threat to the network, data or rights of other users, the AIC has the right to temporarily suspend a user's access or to disconnect the offending system or network subdivision to which it is attached without prior notice. Violators are subject to disciplinary actions as outlined in the student, faculty and staff handbooks or in AIC/SAIC policy statements. Access to network and computing resources owned or operated by the AIC will be terminated, in appropriate circumstances, for individuals who are repeat infringers of third-party copyrights. Users should also be aware that copyright infringement, including the unauthorized and infringing distribution of copyrighted materials through unauthorized peer-to-peer file sharing, may result in civil and criminal liabilities under federal copyright law. Civil liabilities may include actual damages and the infringer’s profits, or statutory damages for each work infringed ranging from $750 to $30,000 (or up to $150,000 in the case where the infringement was committed “willfully”). (17 U.S.C. 504) An infringer may also be subject to criminal liability for willfully infringing a copyright (A) for purposes of commercial advantage or private financial gain; (B) by the reproduction or distribution, including by electronic means, during any 180-day period, of one or more copies or phonorecords of one or more copyrighted works, which have a total retail value of more than $1,000; or (C) by the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution. (17 U.S.C. 506)

Information Disclaimer

Individuals using network and computing resources at AIC do so subject to local, state and federal laws and all policies in effect at the museum and the School. Information, messages and materials made available via AIC network resources do not necessarily reflect the attitudes, opinions or values of the Art Institute of Chicago, its faculty, staff, or students.

Return to top of page

Cyber Incident Response Plan Standard
Policy No. 098
The Policy Applies to: All AIC and SAIC Employees
Title of Policy Owner: Director of Information Security
Department: Information Services
Approval: EVP for Finance and Administration
Revision Date History: n/a
Originally Issued Date: September 29, 2023
Refer Questions to: policyquestions@artic.edu
Printer Friendly Version: Click Here
Purpose

The purpose of the Cyber Incident Response Plan (CIRP) is to establish an effective process for handling cyber incidents that will limit impacts to the Art Institute of Chicago and the School of the Art Institute of Chicago. The purpose of this Information Security Cyber Incident Response Standard is to alert all faculty, staff, and students of their roles and responsibilities with regards to cyber security incidents or security breaches.

All faculty, staff, and students of AIC/SAIC shall report any incidents that could jeopardize the confidentiality, integrity, or availability of digital information or information systems, suspected incidents, incidents of misuse, or anomalous activities to an AIC information technology department.

Roles and Responsibilities

All employees and students

Anyone with knowledge or reasonable suspicion of an incident is instructed to report the Incident to one the following as appropriate:

IT Staff

After the creation of an incident ticket, IT Staff will conduct the initial investigation in order to determine if escalation to the CIO/CSO is warranted. IT staff have the requisite access and privileges that are essential for initial response, investigation and triage actions. However, actions should be limited to the minimum necessary to preserve system settings and to record forensic information and evidence for confirmed incidents. If escalation is warranted then please refer to the full Cyber Incident Response plan (CIRP) for the CIO/CSO designations and make sure these people have been made aware of the incident.

CIO/CSO

The CIO/CSO will determine the category and severity of the incident and undertake discussions and activities to determine the best course of action, i.e., decide if CIRP execution is required. This decision will be based on variables such as the classification of the data and the criticality of the system involved in the incident. For full steps please refer to the full Cyber Incident Response plan rather than this standard.

Definitions

Security breach - A security breach is any incident that results in unauthorized access to computer data, applications, networks or devices. It results in information being accessed without authorization. Typically, it occurs when an intruder is able to bypass security mechanisms. Technically, there's a distinction between a security breach and a data breach. A security breach is effectively a break-in, whereas a data breach is defined as the cybercriminal exfiltrating information.

A cyber incident or incident is defined by the Department of Homeland Security as an occurrence that:

(A) Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits.

(B) Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An incident could be either intentional or accidental in nature. Specific examples of cyber incidents are:

  • Users are tricked into opening a malicious attachment sent via email that is actually malware which encrypts data with a message to pay a ransom to decrypt their data.
  • An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
  • A user provides or exposes sensitive information through a phishing email.
References

  • The Information Security Policy can be found here and contains information on Data classification.
  • Cyber Incident Response guidance from the National Institute of Standards and Technology can be found here.
  • The Acceptable Use Policy can be found here.
  • The Emergency response plan per building can be found here.


Return to top of page