Information Security

Information and Technology Acceptable Use Policy FAQ

Last modified 7/2/2026

This FAQ is a plain-language companion to the 9.2 Information and Technology Acceptable Use Policy.

How to use this FAQ

This FAQ supplements the policy and does not change it. Where anything here differs from the policy, the policy governs.

Section references such as (Policy 9.2 §B.1) point to the matching part of the policy.


Who and what this policy covers

  • Who does this policy apply to?

Everyone who uses ISU information and technology (I&T) resources — students, faculty, staff, contractors, and other affiliated persons — and even campus visitors and event guests who connect to university networks. It applies regardless of your affiliation or relationship with ISU. (Policy 9.2 — Scope)

  • Does it apply when I’m off campus or using my own internet connection?

Yes. The policy applies to all uses of I&T resources regardless of your physical location or the network you connect from. (Policy 9.2 — Scope)

  • I already accepted this once. Why am I being asked again?

Accepting the policy is a condition of activating and keeping your access. The university may require you to periodically review and re-acknowledge it as a condition of continued access. (Policy 9.2 — Purpose; Review and Approval)

  • What counts as an “I&T resource”?

Broadly, anything ISU provides, manages, or operates to create, store, communicate, or process information: computers, networking hardware, peripherals, software, databases, cloud services — and the data itself. (Policy 9.2 — Definitions)

  • I work at Metcalf or University High School. Which policy applies to me?

The Lab Schools each maintain their own student technology acceptable use policy for the K-12 setting (including parental consent), and those govern student use of Lab Schools-specific resources. As a university employee, you remain subject to Policy 9.2 for your use of university I&T resources, and 9.2 applies as the university-wide standard wherever the Lab Schools policy does not address a topic. (Policy 9.2 — Scope, Laboratory Schools)



Accounts, passwords, and access

  • Can I share my password or let someone else use my account?

No. You must safeguard your accounts and credentials and must not share them. Your login also reaches sensitive systems, so sharing it can expose your own information. (Policy 9.2 §B.1)

  • A colleague is out and I need to handle their email. Is there a way to do this within the rules?

Sharing your credentials is prohibited, but sharing access through an approved delegation feature is a separate, supported approach.  (Policy 9.2 §B.1)

  • I think my account was compromised, or I lost a device. What do I do?

Report it promptly to the Technology Support Center at supportcenter@illinoisstate.edu or call (309) 438-4357. A “compromised account” is any credential reasonably suspected of unauthorized access or use. (Policy 9.2 §B.2; Definitions)

  • Are my ULID, university email address, and ID numbers “mine”?

They are university property and may be changed or revoked at any time. (Policy 9.2 §A.1)



Personal Use

  • Can I use ISU email or computers for personal things?

Incidental personal use is allowed if it is limited in time and resource consumption and does not interfere with your duties or the university mission. Your unit or supervisor may set additional limits. (Policy 9.2 §C.1)

  • Can I run a side business, sell things, or advertise using ISU resources?

No. Personal use cannot involve promotion, solicitation, commercial gain, profit, or advertisement, and cannot imply university sponsorship or endorsement. (Policy 9.2 §C.2)

  • I’m an employee — what about political activity on university systems?

Personal use by employees must comply with the State Officials and Employees Ethics Act, including its prohibitions on political activities. (Policy 9.2 §C.1)

  • Can I install my own software on a university computer?

Personally licensed software may be installed only if your Vice President or their designee approves it, it complies with university policy, it is properly licensed to you, and it does not interfere with your duties. (Policy 9.2 §C.3)



Data, privacy, and monitoring

  • Do I have an expectation of privacy on university systems?

I&T resources are institutional assets, and the university reserves the right to access, monitor, and inspect them as necessary for security, integrity, operations, and legal or policy obligations. Using them does not create a privacy expectation that would prevent that. Any such access is to be limited to what is reasonably necessary and conducted under applicable law and university procedures. (Policy 9.2 §D.1–D.2)

  • Can my supervisor or department head just read my files or email whenever they want?

The policy ties access aimed at investigating a specific individual’s conduct to the procedures governing that type of investigation (student conduct, employment actions, ethics investigations) — it is not open-ended. (Policy 9.2 §D.2)

  • What about my personal phone, tablet, or laptop?

If you access or store university data on a personal device, you must secure that device per university information security standards — for example password protection, encryption, and timely security updates. If the device is lost, stolen, or compromised, the university may remotely remove university-managed accounts and university data. This reaches only institutional data and services accessed through university-managed apps or accounts; the university will not access, search, or inspect your personal data, applications, or files outside university-managed resources. (Policy 9.2 §B.3; §D.2)

  • Could my emails or files become public records?

Possibly. As a public institution, information and records created, received, or stored on university I&T resources may be subject to disclosure under the Illinois Freedom of Information Act (FOIA) or as otherwise required by law. (Policy 9.2 §D.4)

  • How do I know how sensitive a piece of data is and how to handle it?

You are individually responsible for understanding the sensitivity of the information you handle and managing it under the 9.8 Information Security Program Policy and the 9.8.1 Data Classification Procedure. Unauthorized access, disclosure, or acquisition of data that must be kept confidential under Policy 1.10 is prohibited. (Policy 9.2 §B.2)



AI tools

  • Can I use AI tools (such as chatbots) for my work or coursework?

Yes, within the rules. AI use must comply with all other university policies — including academic integrity, research ethics, and intellectual property — and with all provisions of Policy 9.2. You are responsible for the accuracy and ethical implications of content you generate with AI. (Policy 9.2 §A.5)

  • Can I put university data into an AI tool?

Only if the AI tool has been authorized by the university for that data’s classification level. (Policy 9.2 §B.2)

  • Anything else I should know about AI-generated content?

AI output may contain copyrighted or otherwise protected material, and you are responsible for verifying its originality and legality before using it in university work. Additional university-wide AI guidelines may impose further requirements. (Policy 9.2 §A.5)



Contracts, "I Agree" buttons, and third parties

  • A free app or website wants me to click “I Agree.” Can I accept on behalf of ISU?

No — unless you have been granted specific contract authority under Policy 7.1.40. This applies whether the product is free or paid, because click-through terms can be binding legal contracts, and some bind the organization the user represents, not just the individual. (Policy 9.2 §A.2; Definitions)

  • We’re bringing in a vendor or external partner. Do they have to follow this policy?

Yes. Any third-party service, vendor, or external partner granted access to I&T resources must comply with all applicable university policies and security standards. (Policy 9.2 §A.4)



Prohibited conduct and copyright

  • What kinds of communications or activities are off limits?

Anything that violates state or federal law or university policy. This includes communications that are threatening, that incite imminent lawless action, or that are constitutionally obscene, as well as fraudulent or unethical communications, breaches of the peace, use of resources for financial gain, and illegal activity such as copyright infringement, harassment, fraud, or unauthorized security breaches. (Policy 9.2 §A.3; Definitions)

  • What about downloading or sharing copyrighted movies, music, or software?

You must observe copyright, intellectual property rights, and software license terms, and copyright infringement is specifically prohibited. (Policy 9.2 §A.2–A.3)



Reporting and consequences

  • I saw misuse or a policy violation (harassment, prohibited communications, copyright). Where do I report it?

Report suspected misuse or policy violations to abuse@ilstu.edu. (Policy 9.2 §E.1)

  • I think there’s a security incident — a breach, a compromised account, or a lost or stolen device. Where does that go?

Report it to the Information Security Office at informationsecurityoffice@illinoisstate.edu. (Policy 9.2 §B.2)

  • What if I feel threatened or in personal danger because of someone’s online behavior?

If it is an emergency or needs immediate attention, do not use an email or web form — contact police directly:

  • Emergency: dial 9-1-1.
  • ISU Police Department: (309) 438-8631 — this line is always open.
  • The Safe Redbirds app is ISU’s official safety app and another fast way to reach help.

For threatening or harassing online conduct that is not an immediate emergency, you can report the acceptable-use aspect to abuse@ilstu.edu and use the reporting channels at saferedbirds.illinoisstate.edu/report (which route concerns such as stalking or relationship violence to the right office). Note that the Safe Redbirds report site is not monitored around the clock, so anything urgent should go to ISU Police by phone.

  • What happens if I violate the policy?

This policy applies to all users, and everyone is accountable to it. How a violation is handled depends on your affiliation: for students, through the student conduct process (the Code of Student Conduct); for faculty and staff, through the applicable employee disciplinary process, up to and including termination or dismissal. Any user may also lose access to university technology and, depending on the conduct, face civil or criminal legal consequences. Violations are handled under 9.2.1 Procedures for Appropriate Use Violations.

  • Am I responsible for things that happen through my account even if I didn’t do them?

You accept individual responsibility for all violations that occur from or with your use of I&T resources, and you are expected to cooperate fully with investigations. This is another reason not to share credentials. (Policy 9.2 §E.1)



Training and ongoing responsibilities

  • Do I need to do anything to stay in good standing?

Familiarize yourself with the policy and complete any university-mandated training related to acceptable use. The university may also require periodic review and re-acknowledgment. (Policy 9.2 §A.6; Review and Approval)



Quick reference: key contacts

Emergency / personal dangerDial 9-1-1 • ISU Police (always open): (309) 438-8631 • Safe Redbirds app
Security incidentsinformationsecurityoffice@illinoisstate.edu
Policy misuse / violationsabuse@ilstu.edu
Safety reporting (non-emergency)saferedbirds.illinoisstate.edu/report
Full policy textpolicy.illinoisstate.edu/technology/9-2

Feedback

To suggest an update to this article, ISU students, faculty, and staff should submit an Update Knowledge/Help Article request and all others should use the Get IT Help form.