Acceptable Use of IT Resources

Updated: October 9, 2025

This regulation replaced Network Use Regulation (RUL08.10.03), Academic Computer Use Regulation (REG08.05.10) and University Student and Employee Computer Use Regulation (REG08.05.04). All three repealed PRRs are listed as attachments under policy versions.

Policy:
REG08.10.05
Title:
Acceptable Use of IT Resources
Category:
Sub-category:
Information Technology
Authority:
Chancellor
Contact:

Chief Information Officer (252) 328-9000
Related Policies:
Additional References:
History:

Approved October 9, 2025. Replaces Network Use Regulation, Academic Computer Use Regulation, University Student and Employee Computer Use Regulation
Previous Versions:

All versions are available as PDF downloads

1. Introduction

University IT resources are provided to conduct University business and to support and enhance the academic and administrative functions of the University. This regulation governs the use of IT resources pursuant to UNC System Office Policy 1400.1 and 1400.2, which includes “information owned or possessed by the University, or related to business of the University, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.” IT resources include computer systems, hardware, software, networking equipment, storage devices, accounts, data, and other digital resources. These assets are either owned by the University or used by the University under contract with an external provider. The use of these assets is governed by federal and state laws as well as University policies, regulations, and rules. University employees, students, and other covered persons must agree to comply with this use regulation and other applicable policies, procedures, and standards, as well as federal, state, and local laws and regulations, as a condition of having access to these resources.

Only users in compliance with this use regulation are authorized to use and/or access the University IT resources. This regulation covers the acceptable use of all IT resources and codifies what is considered appropriate

2. Definitions

  • 2.1 IT Resources: computer systems, hardware, software, networking equipment, storage devices, accounts, data, and other digital resources.
  • 2.2 Covered Persons: all persons and entities utilizing University resources, including, but not limited to, employees, students, retirees, emeriti/emeritae, guests, external individuals (such as vendors, contractors, and other third parties), or organizations.
  • 2.3 Networking Equipment: Networking equipment includes, but is not limited to, switches, hubs, routers, firewalls, load balancing devices, proxy service devices, wireless access points, blade server systems, Virtual Private Network (VPN) devices and/or devices requiring Virtual Local Area Networks (LANs).
  • 2.4 Mobile Computing Device: A portable computing device that provides persistent data storage and runs software applications much like a typical computing device. Examples of Mobile Computing Devices include, but are not limited to smartphones, tablets, laptops, and wearable computing devices.
  • 2.5 University Information: Information in any form (e.g., electronic, printed, or spoken) that is collected, created, stored, distributed or otherwise used by Covered Persons in the course of their relationship with the University. This information may be collected, created, stored, distributed, or used by Covered Persons in the course and scope of their employment, for educational purposes, teaching, research, administration, the provision of services to the University or as a result of volunteer responsibilities.
  • 2.6 Sensitive University Information: A subset of University Information that is confidential pursuant to ECU ‘s Data Classification Standard, specifically Level 3 and 4 data.
  • 2.7 Pornography: “[a]ny material depicting sexual activity,” as defined in N.C.G.S. 14 190.13. See N.C.G.S. 143-805(g).

3. Regulation

  • a. This Regulation applies to all Covered Persons utilizing information resources owned or possessed by the University, or related to business of the University, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.
  • b. IT Resources used by the University must be reviewed and approved in accordance with the Software and Data Collection Services Acquisition Regulation.
  • c. Mobile Computing Devices used for University business must be used in accordance with the Mobile Computing Regulation.
  • d. All Networking Equipment must be reviewed, approved, and managed by ITCS unless an exception is made in writing by the Chief Information Officer.
  • e. Covered Persons shall protect University information from unauthorized and/or unlawful access, use, disclosure, destruction, and/or loss.

4. General Expectations

  • a. This Regulation shall be applied in a manner consistent with the University’s commitment to freedom of expression, as provided in the University’s Regulation on Freedom of Expression.
  • b. It is important for all users to behave in a responsible, ethical and legal manner. In general, acceptable use means respecting the rights of other computer users, the integrity of the physical facilities and all pertinent license and contractual agreements.

5. Obligations and Duties of Covered Persons

  • a. Covered Persons are responsible for knowing the security classification for all University Information, as found in the ECU Data Classification (see Additional References above), for all data under their control (e.g., public, internal, confidential/sensitive, highly restricted). Depending upon the data’s security classification, Covered Persons must protect information under their control from inappropriate disclosure or unauthorized use and must report any concerns of such unauthorized access, exposure, or use immediately to the ITCS Pirate Techs Service Desk. Employees unsure about the security classification of data in their control should contact their supervisor. Other Covered Persons unsure about the security classification of data in their control can contact the IT Enterprise Data Management Support Services Team (edmss@ecu.edu).
  • b. Covered Persons must have valid authorized accounts and may only use IT resources for which they have specific authorization.
  • c. Covered Persons are responsible for taking reasonable precautions to safeguard their accounts, data, assigned devices, and other IT resources.
  • d. Covered Persons may not change, copy, delete, read, or otherwise access files or software owned by other parties without the permission of the data custodian. Users may not bypass security mechanisms to circumvent data protection. Covered Persons may not attempt to modify software except when intended to be user customized. User customized refers to modifications made by users to software or applications that are intended and allowed by the software’s design. These modifications are typically done to personalize or enhance the functionality of the software for individual use, without altering the core code or violating licensing agreements. An example is a user customizing the settings of a word processing application to change the default font, set up custom templates, or install approved add-ins to enhance productivity. These changes are within the scope of what the software allows and do not involve altering the software’s underlying code or bypassing security features.
  • e. Users shall assume that any software they did not create is copyrighted. They may neither distribute copyrighted proprietary material without the written consent of the copyright holder nor violate copyright or patent laws concerning computer software, documentation, or other digital assets.

6. Prohibited Software

  • a. The following general categories of software are prohibited unless specifically authorized for University business, academic, or research use. Approval must be received in advance by both the appropriate Vice Chancellor/Provost, or their designee, and ECU’s Chief Information Officer (CIO).
    • i. Software that poses a high risk of compromising or impacting the security or integrity of the University network and security controls such as peer-to-peer (P2P), hacking tools, password descramblers, network sniffers, and port scanners.
    • ii. Software that proxies the authority of one user for another, for the purpose of gaining access to systems, applications, or data illegally.
    • iii. Software which instructs or enables the user to bypass normal security controls.
    • iv. Any other software specifically identified as prohibited by Information Technology and Computing Services (“ITCS”) in response to emergent threats.
  • b. IT security concerns shall be reported to the ITCS Pirate Techs Service Desk promptly.

7. Prohibition of viewing of pornography on ECU networks and ECU owned-devices

  • a. Prohibited use on ECU Owned-Devices
  • i. Consistent with North Carolina law, ECU prohibits employees and students from viewing pornography on devices owned, leased, maintained or otherwise controlled by the University.
    • 1. A cell phone, desktop or laptop computer, or other electronic equipment capable of connecting to a network constitutes a “device” under this section, provided the device is owned, leased, maintained, or otherwise controlled by the University.
  • b. Prohibited use of ECU Networks
    i. University employees are prohibited from viewing pornography on the University’s respective networks, even if an employee utilizes their own personal cell phone or laptop.
    c. Exceptions
    i. The prohibitions in this section do not apply to an employee that is engaged in any of the following activities, in the course of the employee’s official University duties:
    • 1. Investigating or prosecuting crimes, offering or participating in law enforcement training, or performing actions related to other law enforcement purposes;
    • 2. Identifying potential security or cybersecurity threats;
    • 3. Protecting human life;
    • 4. Establishing, testing, and maintaining firewalls, protocols, and otherwise implementing this section;
    • 5. Participating in judicial or quasi‑judicial proceedings;
    • 6. Conducting or participating in an externally funded research project; or
    • 7. Researching issues related to the drafting or analysis of the laws of this State as necessary to fulfill the requirements of the employee’s official duties.
  • d. Reporting Obligations
    i. As required by NCGS 143-805, CIO shall annually report information to the State Chief Information Officer the following:
    • 1. the number of incidences of unauthorized viewing or attempted viewing of pornography the University’s network;
    • 2. whether or not the unauthorized viewing was by an employee, elected official, appointee, or student of the University; and
    • 3. whether or not any of the unauthorized viewing was on a device owned, leased, maintained, or otherwise controlled by the University.

8. Regulatory Limitations

  • a. Employees have no expectation of privacy in the material sent or received while utilizing University IT Resources, personal data stored on University IT Resources, or University information stored on personal devices.
  • b. The University has the right to monitor network traffic, including electronic mail (e-mail), to and from privately owned machines connected to the University network within the limitations of this Regulation.
  • c. While the University does not generally monitor content, access of individual data may be necessary in specific incidents to ensure the security and operating performance of IT Resources.

9. Monitoring and Access

  • a. The University generally does not monitor or restrict material residing on University computers housed within a private domicile or on non-University owned, leased, or controlled computers, whether or not such computers are attached or able to connect to campus networks. If a University administrator is informed of inappropriate employee or student conduct associated with IT Resources, the University shall be obligated to investigate and enforce applicable federal and state laws, and the policies, regulations and rules of the UNC System and the University.
  • b. While the University does not routinely access employees’ computers, storage, communications, or documents, the University may review or monitor the use of IT Resources, reasonably limited in scope and relevance, when permitted by applicable law and/or University policy.
  • c. Access to an employee’s computers, storage, communications, and documents may occur in the following circumstances, if deemed necessary by authorized personnel:
    • i. ensuring the security and operating performance of University IT Resources.
    • ii. ensuring compliance with University policies, regulations, or rules, or state or federal law.
    • iii. performance of audit-related activities, in accordance with NCGS § 116-40.7(b) and the Internal Audit Charter.
    • iv. compliance with E-discovery rules relating to an actual, threatened, or potential lawsuit, including the University’s response to a subpoena, court orders, or other lawful access request.
    • v. evaluating and addressing an imminent threat to health or safety.
    • vi. conducting authorized University investigations.
    • vii. responding to legitimate public records requests.
    • viii. ensuring business continuity where an employee has separated from University employment or will be absent for an extended period of time.
    • ix. For other purposes, when approved in advance by the Chancellor in consultation with the appropriate Vice Chancellor and the Office of University Counsel.
  • d. Any requests to access an employee’s IT Resources will be reviewed and approved by the Chancellor or their designee prior to access being granted.

10. Incidental Personal Use

  • a. Employees shall adhere to this Regulation and any related University rules, regulations, and procedures, for University business utilizing University IT Resources. Employees may otherwise access these resources for incidental personal use, subject to the following considerations:
    • i. Personal use carries no expectation of privacy.
    • ii. The use does not interfere with an employee’s performance of their University duties.
    • iii. The use is lawful under federal and state law.
    • iv. The use is not prohibited by UNC System or University policies, regulations, or rules.
    • v. The use does not negatively impact IT Resource security, performance, or availability.
    • vi. The use does not involve providing IT services to other users.
    • vii. The use does not involve installing software on University computers.
    • viii. The use does not result in commercial gain or private profit (other than what is allowable under University intellectual property policies).
    • ix. The use does not imply University sponsorship or endorsement.
    • x. The use does not violate federal or state laws or University policies on copyright and trademark.
    • xi. The use does not involve unauthorized passwords or identifying ways to circumvent IT security to gain unauthorized access.
    • xii. Employees shall not view pornography (as it is defined in G.S. § 143-805) on a device owned, leased, maintained, or otherwise controlled by the University. Employees are also prohibited from viewing pornography on any network supported by ECU.
    • xiii. Employees shall not speak on behalf of ECU through the use of any media, including electronic mail, unless specifically authorized to do so.

11. Application of Public Records Act

a. All information created or received for University business purposes which is stored, accessed, or transmitted on University IT Resources or personal devices may be subject to the North Carolina Public Records Act, unless an exception applies.

12. Federal and State Statues regarding Use of IT Resources

  • a. These federal and state statutes govern the appropriate use of IT resources by, ensuring security, ethical behavior, and legal compliance. Covered Persons should be generally familiar with the statutes below:
    • i. Federal Statute:
    • U.S. Code Title 18, Section 1030 – Addresses fraud and related crimes involving computers, including unauthorized access, hacking, and misuse of protected systems.
      It is designed to protect sensitive government, financial, and personal data from cyber threats and unauthorized intrusions.
  • b. North Carolina State Statutes:
    • i. NCGS 14-190.1 – Regulates obscene materials and exhibitions, prohibiting the distribution or display of obscene content.
      This law helps prevent the exposure of inappropriate or harmful materials, particularly in educational and public settings.
      ii. NCGS 14-456 – Criminalizes actions that deny computer services to authorized users, such as cyberattacks or intentional system disruptions.
      It ensures the availability and reliability of IT resources by penalizing individuals who engage in cyber sabotage or denial-of-service attacks.
      iii. NCGS 143B-920 – Requires department heads to report any suspected misuse of state-owned IT resources to the State Bureau of Investigation (SBI).
      This statute promotes accountability and transparency in government agencies by mandating the reporting of potential criminal activities involving state IT assets.
      iv. NCGS 143-805 – Prohibits accessing or viewing pornographic content on government networks or devices to maintain workplace integrity and compliance.
      The law reinforces ethical IT usage standards and helps prevent potential security risks associated with inappropriate content access.
  • c. These laws collectively aim to protect IT resources from misuse, ensure lawful digital practices, and enforce accountability in both federal and state IT environments.

13. Sanction and Remediation for Violations

  • a. Any violation of this Regulation may subject the individual to disciplinary action under relevant University policies, including but not limited to revocation of access privileges or suspension of use of any IT Resources. Violations may constitute “misconduct” under EPS and Faculty policies and/or “unacceptable personal conduct” under applicable SHRA or CSS/DMSS policies. For students, violations may constitute a violation of the Student Code of Conduct. For approved guests, violations shall result in appropriate remedial action depending on the guest’s affiliation.
  • b. Mandatory Reporting of Violations
    • i. Any individual who in good faith believes there has been a violation of this Regulation, should report the violation immediately to their unit administrator for review.
    • ii. Following review of a potential violation, and depending on outcome and severity of substantial violation, the unit administrator shall consult with Employee Relations in the Department of People Operations, Success and Opportunity (POSO). POSO shall notify the Office of University Counsel, the CIO, and any other relevant offices or officials. As necessary, in the sole discretion of the University, upon notification of a potential violation of this Regulation, the CIO has the authority to temporarily terminate computing resource access privileges pending completion of an investigation.