Acceptable Use Policy

This policy applies to all individuals who access computing and technology resources licensed, owned, managed, or otherwise provided by Earlham College (“Earlham”), regardless of the method of access. Covered individuals include but are not limited to:

• Employees of Earlham College, including the Earlham School of Religion
• Students (undergraduate, graduate, and non-degree-seeking)
• Retired employees
• Contractors, consultants, volunteers, and service providers
• Guests or affiliates granted access to Earlham technology resources

Earlham’s technology infrastructure exists to support activities needed to fulfill the organization’s mission. Access to these resources is a privilege and carries corresponding responsibilities.

Institutional use in support of Earlham’s mission takes precedence over personal or recreational use. Any use that disrupts, degrades, or compromises Earlham operations, security, or community trust is prohibited.

Earlham is committed to academic freedom and intellectual inquiry. While Earlham owns and manages its systems and institutional data, ownership of scholarly ideas, research, and creative works is governed by applicable intellectual property policies and faculty agreements.

While Earlham College respects individual privacy, use of institutional technology resources is subject to monitoring and review as described in this policy.

1. Chief Information Officer: The Chief Information Officer (CIO) is accountable for the implementation of the Information Security Program.
2. Credentials: Authentication information issued or approved by Earlham, including usernames, passwords, passphrases, cryptographic keys, multi-factor authentication tokens, smart cards, and similar mechanisms used to verify identity.
3. Employee: A person employed by Earlham either full- or part-time, including student-employees when acting within the scope of their employment.
4. Information Technology Resources: All hardware, software, networks, cloud services, data, accounts, and related systems provided or funded by Earlham.
5. Named Individual: A specific, identifiable natural person expressly designated by name.
6. Restricted Data: As defined in Earlham’s Data Classification Policy.
7. Student: Any person who is admitted, enrolled, or registered for study at Earlham College, both undergraduate and graduate, for any academic period and/or those who may attend other educational institutions but reside in an Earlham residence facility. Those who are not officially enrolled for a specific term but who have a continuing relationship with, or an educational interest in, Earlham are considered “students.” A person also shall be regarded as a student during any period in which the student is under suspension or leave from the institution or when the person is attending or participating in any preparatory activity before the beginning of a school term, including, but not limited to, pre-orientation experiences, orientation, placement testing, and residence hall check-in.

1. Users should be aware that Earlham-owned, managed, or provided information technology resources are intended to support the institution’s academic, administrative, and operational activities. While Earlham respects individual privacy, such resources are subject to monitoring and review to the extent permitted by law as necessary to protect and preserve those activities.
2. Earlham may access, review, or disclose system activity for legitimate institutional purposes, including:
   • Maintaining information security and protecting against threats
   • Ensuring system performance, integrity, and reliability
   • Supporting compliance with applicable laws, regulations, and College policies
   • Conducting investigations and responding to security events and incidents
3. For the purposes of this policy, system activity includes but is not limited to, email, files, logs, and network traffic.

1. Earlham-issued credentials assigned to Named Individuals may not be shared or used by others.
2. Users are responsible for safeguarding their credentials and must not disclose, reuse, or store credentials in unsecured locations, such as plain text files, shared documents, or written lists.
3. Earlham credentials must not be reused for non-Earlham systems or personal accounts.
4. Shared or role-named accounts may only be used when approved by the CIO or designee and must be managed according to documented controls.

A. General Responsibilities

All users of computing and technology resources licensed, owned, managed or otherwise provided by Earlham must comply with applicable federal and state laws, institutional policies, contractual obligations, and license agreements. This includes respecting copyrights, patents, trademarks, export controls, and intellectual property rights.

Users may only access systems, data, and resources for which they are authorized, as necessary for their responsibilities, and only in ways consistent with Earlham’s mission and values.

B. Respect for Others and the Community

Users must honor the rights of others to privacy, academic freedom, and freedom from discrimination and harassment. Technology resources may not be used to:

• Harass, bully, threaten, intimidate, or stalk others
• Create a hostile or disruptive work or learning environment (including doxing)
• Continue inappropriate, unwanted communications after being asked to stop

Users may not interfere inappropriately with others’ use of technology resources, including by consuming excessive resources or intentionally degrading system performance.

C. Limited Personal Use

Limited personal use of Earlham technology resources is permitted provided that such use:

• Does not interfere with job duties or academic responsibilities
• Does not consume significant institutional resources
• Does not incur additional cost to Earlham
• Does not violate security, legal, privacy, or ethical requirements

D. Security and System Integrity

Users may not:

1. Circumvent, bypass, or disable security controls or authentication mechanisms
2. Knowingly introduce malware (e.g., viruses, worms, ransomware)
3. Perform scanning, monitoring, or interception of network traffic, without written approval from the CIO
4. Access accounts, systems, or data without authorization
5. Impersonate others or falsify identifying information (e.g., spoofing headers)
6. Create or use unauthorized proxy services or redirect network traffic without approval from the CIO

Administrative or privileged access must be limited and is subject to review. Where feasible, users are expected to operate using non-privileged accounts. Exceptions require approval by the CIO.

Earlham permits the use of personal devices to access certain institutional services, such as email, cloud storage, and learning platform, Moodle. Users are responsible for maintaining reasonable security controls on personal devices.

Users handling restricted data on non-Earlham devices may be subject to additional requirements.

Earlham has a legal and ethical obligation to protect information in accordance with its Data Classification Policy. At a minimum:

• Users must not transmit Restricted information using unapproved messaging technologies, such as SMS or consumer chat platforms.
• Users must not store Restricted information on removable media or personal devices unless they receive explicit approval.
• Users must use only approved Earlham‑managed resources to store or process Restricted and Internal information.

Users must secure devices and activate workstation locking when unattended

1. Users who suspect or become aware of activity that may violate the behavioral standards or security protocols outlined in this policy are expected to report it promptly to ITS. Suspected or confirmed security events and incidents, including unauthorized access, credential compromise, or the loss or theft of devices should be reported as soon as possible, and no later than the start of the next business day, through one of the following channels:
   • For Immediate Support and Security Event/Incident Intake: Information Technology Service Help Desk
   • For Escalation of Sensitive Concerns: Chief Information Officer
2. Failure to report prohibited conduct or attempts to prevent another community member from reporting prohibited conduct, is itself a violation of Earlham policy and may result in disciplinary action.
3. The loss, theft or inappropriate use of organization access credentials (e.g. passwords, key cards or security tokens), assets (e.g. laptops, cell phones), or other information must be reported to the Information Technology Services Help Desk as soon as possible, and no later than the start of the next business day.

Failure to comply with this and related policies may result in disciplinary action, up to and including suspension without pay, or termination of employment or expulsion, in accordance with applicable disciplinary procedures.

Earlham College makes no warranties of any kind, whether expressed or implied, concerning the information technology resources that it provides. Earlham College is not responsible for damages resulting from the use of information technology resources, including but not limited to loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of an Earlham College employee, or by any user’s error or omission. Earlham College specifically denies any responsibility for the accuracy or quality of information obtained through information technology resources, except material that is presented as an official record of Earlham College.

This policy will be reviewed annually by the Chief Information Officer.

• The Gramm – Leach Bliley Act (GLBA)
• Family Educational Rights and Privacy Act (FERPA)
• NIST Special Publication 800-171
• Federal Information Processing Standard Publication 199 (FIPS-199)
• Code of Ethics of the American Library Association
• Intellectual Property Policy

May 19, 2026 – Revision approved by President Paul Sniegowski

• May 19, 2026 – Review by College Council
• April 16 – May 18, 2026: Comment Period

January 26, 2024 – Policy approved by Stacy Lutz Davidson, Senior Vice President for Finance and Administration/Chief Financial Officer