SCOPE This policy shall apply to all computer workstations, laptops, servers, networked appliances, and any other device capable of participating in a file sharing P2P network if such device is owned by the University; or any device utilizing University network resources, even if that device is owned privately or by a third party. In addition, this policy applies to faculty, staff, students, contractors, consultants, temporaries, and other workers at the University, including all personnel affiliated with third parties at such time they are using any resource described above. PURPOSE This policy has been implemented in order to mitigate exposure of the William Paterson University to security risks and liabilities associated with the irresponsible use of file sharing P2P applications on university resources. POLICY Prohibited Activity This policy strictly prohibits the distribution, downloading, uploading, or sharing of any material, software, data, document, sound, picture, or any other file that is: Specified as illegal by any federal or state law, statute, proclamation, order, or decree. Copyrighted and not authorized for distribution by the copyright owner. Considered to be proprietary, privileged, private, or otherwise vital to the operation of the university; including, but not limited to, personnel, student, financial, or strategic records and documents, or any material governed by federal and state regulations. Any virus or malware for the purpose of deployment or implementation with ill-intent. Any P2P activity is strictly forbidden in the cases of: Computer labs. Computer workstations and other network devices readily accessible to multiple users. Computer workstations and other network devices used in daily operation by areas and departments heavily affected by federally mandated regulatory compliance. Laptops, computer workstations, and any other network capable device. Users of the University resources may not attempt to circumvent, bypass, defeat, or disrupt any device, method, or technology implemented by the university for the purpose of P2P mitigation. Rights and Responsibilities Students, faculty, staff, contractors, consultants, temporaries, and other workers at the University shall bear legal/financial responsibility for events resulting from their own use of P2P applications. Individual departments, colleges, administrative areas, and other entities must respond in a timely and efficient manner to all inquiries and complaints that arise in regard to this policy. The University are required by federal law to report certain illegal activities to specified law enforcement agencies without notice to the user or the appropriate department. Technology Mitigation The University will implement and maintain a network appliance specifically designed to control and track P2P usage. P2P traffic will be limited in bandwidth, to ensure that network resources are available for all business- and education-related needs and processes. P2P traffic may be blocked for specific areas described under section of this policy. Outbound P2P traffic positively identified as copyrighted material will be blocked. P2P traffic and usage information will be collected, and the collected information will be governed by the policies set forth in this document. Other Privacy Information and Collection Logs detailing P2P traffic and usage on the University network will be collected. Logs will contain IP addresses involved in data transfer, direction of transfer (if retrievable), metadata of file (if retrievable), time, protocol used, and amount of data transferred. Logs will not contain any personal identifying information. Logs will be kept for one year. Information Use Logs will be subject to periodic review for enforcement of this policy. Information collected may be used in aggregate format for reporting purposes. Individual usage will not be actively or routinely monitored. Logs maybe used to investigate complaints or suspicious traffic patterns. Individual colleges, departments, functional or administrative areas, and entities of the University may request information about P2P usage pertinent to that area. This request may only be made by the dean, chair, department head, manager, or other leadership of the area requesting information. The University will not release any information collected by the appliance to any entity external to the University unless compelled or obligated by law or court order, subpoena, warrant, or writing. Enforcement Any faculty, staff, or student found to have violated this policy may be subject to disciplinary action, up to and including suspension, expulsion, and/or termination of employment in accordance with procedures defined by the University administrative policies stated in the handbook governing that individual. In addition, any external entity, contractor, consultant, or temporary worker found to have violated this policy may be held in breach of contract, and as such, may be subject to grievances or penalties allowed by such contract. Definitions P2P (peer-to-peer), in the context of this policy, is defined as direct data communication between two or more network capable devices over the Internet or other network, usually for the purpose of sharing any data file (including, but not limited to: music, pictures, video, software, and documents). P2P network, in the context of this policy, is defined as a collection of distributed network-capable devices participating in P2P activity. Peer-to-Peer (P2P) application is defined as any application that allows a network-capable device to participate in one or more P2P networks. Sharing, in the context of this policy, describes the action and activity of making any data file available to one or more P2P networks. Logs are defined as collections of information, typically used to document activity and events. Uploading describes network trafficking of data files originating from the University network and destined for an external network. Downloading describes network trafficking of data files originating form an external network and destined for the University network. The Southern Miss network and networking resources describe all materials and devices owned by the University and used to provide network connectivity to any network capable device. This includes all jacks, cable, hubs, wireless access points, switches, and routers. EXCEPTIONS Exceptions to this policy will be handled in accordance with the ITS Security Policy. REVIEW This policy will be maintained in accordance with the ITS Security Policy. EMERGENCIES In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible. APPENDIX Created: Author: Version: 1.0