Management, compliance & auditing

Acceptable Use Policy Template For University IT Systems

Dan Virgillito
January 6, 2015 by
Dan Virgillito

Universities, colleges and other higher education institutions store PII (Personally Identifiable Information) such as credit card numbers, email addresses, medical records, many staff-related records, student-staff communications, library use records, intellectual-property records, highly-sensitive research, and social security numbers. However, academic IT systems were designed to store and share data, and not necessarily protect from cyber attacks. As a result, university IT systems are regularly targeted by hackers.

Obviously, cyber attacks have dire consequences for these institutions. But what exactly is targeted? And who pays the cost? Cyber criminals who target university IT systems aren't looking to steal transcriptions, and the affected institutions pay a high cost in millions of dollars and damaged reputations.

Why target academic IT systems?

A SANS survey informed that fewer than half of schools have a formal cyber risk assessment and remediation program in place. Campus networks are often left wide open for web-based attacks due to their open nature and multiple access points. Additionally, universities are failing to stay up with phishing and other scams. Cyber criminals waste no time in exploiting these vulnerabilities.

What's more worrying is that many attacks go undetected. Cyber breaches are a constant risk, yet many university IT departments lack the resources to constantly monitor security performance and take proactive measures to ensure the security of their records databases.

Hackers are likely to trade information stolen from campus networks in the dark corners of the Internet, where financial information isn't the only hot commodity. Any Personally Identifiable Information is considered valuable. Many universities also partner with government organizations and contractors, which makes them vulnerable to cyber espionage as well.

Recent incidents

Data from the Educause Center for Analysis and Research revealed there were 562 cyber security breaches at 324 educational institutions across the US between 2005 and April 25, 2014. That makes more than one breach a week. However, with several breaches going undetected and unreported, the actual figure is likely to be higher. Of the reported breaches, 77 percent took place within America's universities and colleges.

In February 2014, an online data breach at University of Maryland exposed records of more than 300,000 faculty, students, and staff. In May 2014, a cyber attack at Butler University in Indiana exposed records of 163,000 applicants, staff, faculty, graduates, and students.

At Weber State University in Utah, student Joseph W. Langford was charged with breaching faculty and university computers in August 2014. While the type of information accessed remains unknown, personal data of 1,200 people using the breached systems between January 2014 and April 2014 may be at risk.

Main security vulnerabilities of higher ed networks

University IT systems are a hotbed for cyber incidents and a playground for cyber criminals. Hackers are on the alert for the following vulnerabilities for a chance to infiltrate campus networks:

Poor password practices: Password-related cybercrime is at the forefront in campus network attacks, and it's all because of poor password practices. University staff and students don't understand the risks of reusing the same passwords for everything (online portal, email, social media, etc.). They sign up for all sorts of online services throughout their semesters and may be reusing the same easy to remember passwords. Even if it's difficult to guess for an adversary, answers to 'forgot my password' can be a gateway for hackers.

Inadequate knowledge about phishing emails: Those badly worded emails have become much more sophisticated over the years. Hackers can use these emails to take your name, look you up on social media, and find out where you live and who your friends are. Students and staff may become victims to emails that include malicious links and attachments designed to infect a network or individual computer with malware to steal credentials that can let hackers access the entire university network. They can then launch a bigger attack such as distributed-denial-of-service.

BYOD risks: Campuses are now considered a haven to devices. Students bring their own tablets, smartphones, and other devices to connect to campus networks, while faculty and staff do the same with their personal devices. These devices are an easy target for cyber criminals, as they are not as secure as an institution's data center – or even a personal laptop. Phone hacking software is sold for as little as $79 in the black market. Also, hackers find gateways via malicious apps and unsafe smartphone browsers.

Weak policies: Open access to college campus networks is great, but it can cause security issues in surprising ways. Just installing anti-virus software or firewalls doesn't make IT systems and networks secure. All it takes is one hard drive, one laptop, or one USB to be lost or stolen to cost millions of dollars in sanctions. Additionally, students may connect their smartphones to unsecured WiFi networks near the college locality.

Acceptable use policy (AUP) template

This acceptable use policy template covers policies and measures required to strengthen the security of university IT systems. Students, staff, and faulty – all of them have a significant role to play.

AUP for students

Avoid being over-social: Social media is great for interacting with friends and family, but you don't need to over-share. Look up privacy settings of each social network and configure it so that only people you know can see photos, videos, and so on.

Limit activities on open WiFi: Free WiFi is a blessing in college. But even if the university's own network is password-protected, you could be on the same network as a cyber criminal. Limit access to financial and other sensitive accounts when on these networks. Use a VPN (virtual private network) to foil any attempts at information theft.

Watch that email: Your email account is the hub of your academic experience. Unfortunately, it is also the breeding ground for adversaries. You may receive official looking emails from hackers with malicious links and attachments, which redirect to sites where your credentials are compromised. Read emails carefully, and enable multi-factor authentication to avoid direct logins in case the password gets compromised.

Protect passwords: Speaking of password compromise, limit the chances of that happening by creating strong, unique passwords known only to you. Use a password manager to centralize the management of your passwords as you accumulate accounts over the semesters. Find a password manager you like, download and install it on your devices, and upgrade weak passwords.

Lock devices: Have you secured your gadgets, digitally and physically? While most universities stress digital security, they may not educate students about the importance of physically securing their devices. Many devices including laptops and tablets are being designed with special security slots that can be linked to a sturdy cable lock. Once you've cabled a device to something that a thief won't carry away, you significantly reduce chances of physical theft.

AUP for staff and faculty

The faculty and staff should abide by above-mentioned acceptable use policy recommendations as they're also prone to cyber risks students commonly face. In addition, they should…

Create backups: It is good practice to create backups of all information stored on the campus network. While the aim of attacking university IT systems is largely to steal data or information, there's a chance of data getting destroyed during the breach process. You can backup information to the cloud, hard drive, and other removable media such as a flash drive or DVD.

Update software: Worms, malware, Trojan and viruses are common ways for cyber criminals to access sensitive information. Make sure the network and system is protected by software that's up-to-date. Updates to these software include important improvements and fixes, sometimes to address important security issues, so they should be responded to immediately.

Securely remove data: When you are transferring a campus-owned computer from one department to another, or donating the system to an organization, it is important to ensure sensitive data has been shredded securely (deleting files does not completely wipe the data). Staff and faculty can use fee-based and free tools to securely remove data from their devices.

Register devices: Most universities have an online portal for staff and faculty where they can register their devices. This portal is usually secured by an external security company. The benefit of registration is that if your laptop or smartphone is ever stolen, the external security team will be able to detect thieves when they reconnect to the network. Students should also be educated about the benefits of registering their devices.

Plan for mitigation: Although we're being proactive about preventing cyber attacks, sometimes bad things will happen. The best thing you can do is have a response plan in place, which would involve partnering with a security firm that detects threats when it matters the most. The Ponemon Institute informed that .EDU institutions are expected to pay $259 per stolen record. Cyber liability coverage that includes a duty to defend policy may also be a good option.


The landscape of who the cyber criminals target has changed significantly. Universities and colleges should implement an acceptable use policy template throughout their institutions to protect resources that have tangible financial worth associated with them.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.