VCU Computer and Network Resources Use Policy Enforcement Procedures
General procedures for reporting, investigating, adjudicating and documenting violations of the VCU Computer and Network Resources Use Policy are covered in these enforcement procedures. These procedures do not replace Virginia Commonwealth University's Rules and Procedures, the Virginia Department of Human Resources Classified Employee Standards of Conduct, other appropriate disciplinary procedures, or legal action, any of which may be used in cases of the most serious offenses. Because some violations of the Computer and Network Resources Use Policy may also be violations of local, state or Federal law, prosecution under these laws may be pursued independently of any University action.
Reporting Violations
The Chief Information Officer is responsible for broad oversight of investigation and adjudication of suspected violations of the Computer and Network Resources Use Policy.
Any faculty member, staff member, student, visitor or contractor who suspects a violation of the Computer and Network Resources Use Policy must report the suspected violation to the office or department where the suspected violation occurs or to the Chief Information Officer. The office or department initially receiving this information must report all suspected violations within one working day to the Chief Information Officer and must safeguard and forward all available paper and electronic material related to the suspected violation to the Chief Information Officer.
Offices and departments within the Provost and Vice President for Academic Affairs executive level, the Vice President for Health Sciences executive level, the Vice President for Research executive level and all other executive levels will report suspected violations to the Chief Information Officer.
If a suspected violation involves an immediate perceived danger or threat, or a suspected violation of law, the employee of the office or department initially receiving the information should notify the VCU Police Department immediately and report the incident.
Investigation
Each department that operates a computer facility or manages computer systems (hardware and software) must follow these University investigation and enforcement procedures as they relate to the University's Computer and Network Resources Use Policy.
The dean of each school and the heads of other major units will designate an "investigator" for the school or unit. In selecting such a person, the dean or other unit head must put as much emphasis on the individual's judgment and ethics as on the investigator's technical skills. The dean or other unit head must also ensure that the investigator is thoroughly familiar with the policies contained in the University's Computer and Network Resources Use Policy, the procedures in this document, and other related resources, including those of Human Resources, Audit and Management Services, VCU Police and Student Affairs.
Upon notification of a suspected violation, the Chief Information Officer will notify the investigator for the affected computer unit, the administrator of the computer unit, and the Dean or other unit head responsible for the physical location where the suspected violation occurred. The investigator will collect and document the facts and evidence concerning the incident and make a preliminary assessment of whether a violation actually has occurred. If the preliminary assessment is that a violation has occurred, the investigator will recommend action to prevent any further damage, determine the seriousness of the offense, and attempt to identify the violator as quickly as possible. If a determination is made that no violation occurred, the person who reported the alleged violation should be notified of the findings.
The University has the authority to monitor computing activity as part of its responsibilities to operate secure computer and network systems. Investigation of a suspected violation may require appropriately authorized monitoring of computer activities, including examination of e-mail, network and Internet usage and personal files. These measures may only be taken after the administrator of the computer unit has approved them for each specific incident. When this level of investigation is reached, the Chief Information Officer will be contacted immediately, followed by a written report from the investigator within two working days. The Chief Information Officer has the authority to request, review and approve any specific monitoring activity that a computing unit may undertake as part of its responsibility to provide computer and network system security.
If appropriately authorized monitoring of computer or network use reveals evidence of a possible violation of law, this evidence may be provided to law enforcement agencies. If evidence of a possible violation of law is found in the course of an investigation, the computer unit investigator should contact the VCU Police Department.
Adjudication
If an investigation of a suspected violation of the Computer and Network Resources Use Policy concludes that a violation has occurred, action against a suspected violator may take one of three forms:
1. Informal resolution under these enforcement procedures - described below.
First level - not a serious offense and not a repeat or multiple violation.
Second level - serious offenses, repeat or multiple violations, or suspected
violator denies charges at the first level.2. Formal resolution under the University's Rules and Procedures, the Virginia Department of Human Resource Management's Classified Employee Standards of Conduct, or other appropriate disciplinary policy or procedure.
3. Legal action as determined by appropriate law enforcement agencies.
Depending on the seriousness of the violation and the past record of the suspected violator, the violation should be resolved informally whenever possible. However, at any time during the informal process, any participant may request a formal resolution.
The formal process shall be used for the most serious offenses - for example, intentional disruption or destruction of computer services, serious harm to a large number of people, and suspected violation of law.
Informal Resolution Process
A. Informal resolution - first level: for a first offense that is not serious (the offense did not cause disruption of computing facilities, and did not cause serious harm to any other individual or to VCU's public reputation).
The investigator or the administrator of the computer unit shall notify the suspected violator of:
- The violation;
- Corrective action the suspected violator must take;
- The suspected violator's option to deny the charge and to present evidence to refute it;
- The requirement that the suspected violator acknowledges receiving notification of the violation.
If the suspected violator does not deny or refute the charge, a written statement on the incident will be filed with the Chief Information Officer, as stated in the "Documentation" section below. No further action need be taken unless the suspected violator continues the offending action or fails to acknowledge receiving the notification.
B. Informal resolution - second level - used when a suspected violator denies charges under the first level, for a subsequent offense, and for all offenses that are serious (cause disruption of computing facilities or cause serious harm to one or more individuals).
1. The administrator of the computer unit will present the violation and any information related to the violation, including a copy of all written documentation, to the head of the suspected violator's department. For a student, this will normally be the chair of the department in the student's major. For contractors or visitors this will normally be the head of the department where the incident occurred.
2. The head of the suspected violator's department will arrange a meeting with the suspected violator and the administrator of the computer unit. The violation will be explained to the suspected violator, who will have an opportunity to refute the charges.
3. If the suspected violator admits to the violation or the department head concludes that the weight of evidence proves the suspected violator is responsible for the violation, the department head shall determine what disciplinary action should be taken. Such action may include restitution for damages and investigation costs. The administrator of the computer unit shall determine these costs.
4. If the suspected violator does not agree with the disposition of the case, the suspected violator can request formal adjudication as specified below.
Formal and Legal Resolution Processes
Formal resolution of a violation of the Computer and Network Resources Use Policy will be required when the suspected violator may have committed the most serious violations, committed repeat or multiple violations, or committed acts covered by the University's Rules and Procedures, by the Virginia Department of Human Resource Management's Classified Employee Standards of Conduct, by some other appropriate disciplinary policy or procedure, or by local, state, or Federal law.
For violations requiring formal or legal resolution, the administrator of the computer unit, the appropriate Dean or department head, and the Chief Information Officer shall determine the proper course of action, in consultation with Human Resources, Student Affairs, Audit and Management Services, the VCU Police Department or the VCU General Counsel, as appropriate.
Documentation
The computer unit investigator must keep a dated written or electronic log of each investigation and, when possible, electronic copies of all supporting correspondence and evidence. Disposition of this documentation shall be made in accordance with the following:
A. Informal procedure documentation
If the suspected violation is not proved, then all documentation and electronic records will be destroyed and no record of the incident will be retained.
If the suspected violation is not denied or is proved, a record of the offense will be maintained by the Chief Information Officer for two years or as required by Commonwealth of Virginia public records laws and regulations. All supporting computer unit investigator documentation and electronic records will be maintained for two years or as required by Commonwealth of Virginia public records laws and regulations and then destroyed.
B. Formal procedure documentation
Copies of the computer unit investigator's documentation and electronic records will be provided to the proper University investigator and, when appropriate, to VCU Police investigators. The computer unit investigator shall maintain the original documentation and records until adjudication procedures, both VCU and legal, are complete, including any appeal processes. After all formal procedures are complete, including any appeal processes, the original documentation shall be filed with the Chief Information Officer for five years or as required by Commonwealth of Virginia public records laws and regulations.
C. Records Maintenance
Information Security Officer will maintain official documentation on all alleged violations and investigations.
Special Circumstances
There are special circumstances under which the computer unit investigator or administrator of the computer unit is authorized or required to take specific actions to either protect the University's computer and network resources or to protect the University from adverse publicity or legal liability.
A. Serious risk of damage to the University's computer resources.
The computer unit investigator is authorized to suspend the suspected violator's access ID to the computer facilities. This action must not be taken lightly, because it can have the effect of suspending a student from class activities or suspending an employee from access to work. If the computer unit investigator determines that a suspected violator's access ID should be suspended, the Chief Information Officer and the suspected violator's immediate supervisor or academic department head, as appropriate, must be informed as soon as practical.
B. A document residing on or being accessible from a University system is suspected of infringing copyright law or licensed products are suspected of being made available improperly.
The computer unit investigator immediately should contact the person suspected of being responsible for posting such material so that this person can either remove the material or refute the charge. If the computer unit investigator cannot make contact with the person suspected of being responsible within 24 hours, the computer unit investigator should make the document (or computer product) inaccessible.
Because copyright infringement and license violations are matters of civil legal liability, the University's Office of General Counsel must be notified of such suspected incidents immediately.
C. " Child pornography" residing on or being accessible from a University computer system.
The computer unit investigator immediately must make such materials inaccessible. A copy of the directory containing the materials should be captured immediately and stored in a secure location. The copy should be made so as to retain all ownership and time-stamp information. If this is not possible, printed copies of this information should be made and stored in a secure location.
The VCU Police Department must be notified immediately of allegations of child pornography.
Initial Procedure Approved January 14, 2002 by University Information Technology Advisory
Committee
Procedure Last Revised December 7, 2001
