Regulation Concerning the Use and Management of Information Technology Resources

Title: Regulation Concerning the Use and Management of Information Technology Resources

Person in charge: Secretary General

This Regulation applies to: All users and administrators of Polytechnique Montréal’s information technology (IT) resources

Approval stages:

• Adopted as a policy by the Commission des ressources matérielles (material resources commission) on June 7, 2001.
• Adopted as a policy by the Assemblée de direction on October 3, 2001 (resolution AdD-2001-62)
• Adopted as a regulation by the Board of Directors on May 2, 2002 (resolution CAD-4905.1)

Polytechnique Montréal recognizes the importance, for members of its community, of having access to IT resources, and seeks to ensure their proper use in order to create a climate of trust and mutual respect, and ensure efficiency and responsible management. Polytechnique Montréal’s IT resources support its three-tiered mission of teaching, research and social influence, as well as its administrative functions and services. This Regulation aims to provide a framework for the use and management of all IT resources belonging to or overseen by Polytechnique Montréal. Access to Polytechnique Montréal IT resources comes with a set of rights and responsibilities that apply to all members of the Polytechnique community. This access can also be granted to individuals or organizations outside Polytechnique, with the same conditions.

3    Legal framework

• Applicable laws and pursuant regulations in Québec and Canada;
• Section 12.1 of the Règlements généraux de la Corporation de l'École Polytechnique de Montréal (general regulations of the Corporation de l’École Polytechnique de Montréal) which states that “within the limits of the law and regulations decreed under its authority, the Board may, on occasion, create regulations on [...] g) the conduct of the affairs of the Corporation, internal governance and, generally, any element that facilitates the enforcement of the law” [Translation];
• The le Règlement sur les conflits d'intérêts des membres du personnel (regulation on conflicts of interest among staff);
• Other regulations and policies in effect at Polytechnique Montréal.
  

The phrase “Polytechnique Montréal’s IT resources” includes all computers, computer networks, telecommunication equipment, peripherals, digital media, operating systems, software and any combination of the above, which Polytechnique owns, rents or manages, or to which it has access rights. Hardware and software purchased with research funds managed by Polytechnique Montréal also fall under this Regulation.

This Regulation:

• applies to all individuals or companies using Polytechnique Montréal’s IT resources and processing data belonging to Polytechnique Montréal. It covers all IT resources belonging to Polytechnique Montréal, regardless of where they are located, as well as all resources that do not belong to Polytechnique Montréal, but are used on its premises by individuals or organizations to whom this Regulation applies;
• covers all data entered, processed, transmitted or stored with the aid of IT resources that Polytechnique Montréal uses for teaching, research and management purposes and to provide services to the community.

1. The Secretary General oversees this Regulation and is in charge of appointing an IT security officer.
2. The IT security officer is in charge of applying the Regulation and putting in place the necessary mechanisms to monitor and ensure compliance with the same. He or she is also responsible for notifying offenders so that they can correct their actions, or for notifying the director with the highest authority in the unit to which an offender belongs of the latter’s inappropriate actions, which require sanctions.
3. The administrative authority of each unit is in charge of informing staff members, teaching staff, students and IT resource administrators of this Regulation.
4. All units with IT resources must appoint a supervisor. In addition to ensuring the smooth operation of the resources under his or her responsibility, this supervisor must also keep an up-to-date inventory.
5. Polytechnique Montréal assumes no direct or indirect responsibility for damage or loss, economic losses or inconveniences that may arise from the use, interruption or termination of its IT services.

Section 1

Users must only use the IT resources they have been granted permission to use by Polytechnique Montréal, regardless of whether these resources are located at the University or are accessed via the University network.

Section 2

Available resources must be used in an efficient and responsible manner, according to the objectives indicated when permission for use is granted by Polytechnique Montréal.

Section 3

Any unauthorized or illegal access to the University’s IT resources is forbidden.

Section 4

Users may not use their access to Polytechnique Montréal IT resources for unauthorized or illegal purposes, such as using illegal software, spreading viruses, re-routing networks, or destroying or modifying software or data.

Section 5

Users may not use their access to Polytechnique Montréal IT resources for commercial or advertising purposes, to promote commercial activities or for unauthorized solicitation.
Section 6

Users may not attempt to interfere with the normal use of IT resources or circumvent applicable restrictions.
Section 7

Users are forbidden to own or circulate pornographic or obscene material, or material with violent or racist connotations, or any other material forbidden by the laws and regulations in effect in Québec and Canada.
Section 8

Users are forbidden to use IT resources to harass, threaten, defame or circulate hateful or offensive statements, or to carry out any action that is forbidden by Polytechnique Montréal regulations or by the laws and regulations in effect in Québec and Canada.
Section 9

Users are entitled to confidentiality and must take reasonable measures to protect their communications as well as the integrity and confidentiality of data for which they are responsible.
Section 10

Under no circumstances may users share with other users the access codes, passwords or other personal authorizations they have been granted.

Section 11

Users are required to respect the right to security and confidentiality of other users by refraining from interfering in any way with their data or communications. Users must not attempt to breach the protection mechanisms of computers, systems, communications or data (passwords, encryption mechanisms, etc.).

Section 12

Users must at all times respect the copyright, intellectual property rights and licences that apply to the software, data and equipment they use. In particular, they must refrain from using, or directly or indirectly participating in, the illegal reproduction of data, of a software application or associated documentation without obtaining the permission of the copyright holder or trustee.

Section 13

Users must inform the manager concerned of any unauthorized use of the access codes, passwords or other personal authorizations they have been granted.

Section 14

Users must correctly identify themselves in all electronic correspondence and must provide a valid and easily traceable identification when prompted by Polytechnique Montréal applications and servers, or applications and servers accessed from Polytechnique Montréal. In particular, it is forbidden to use other users’ names or untraceable pseudonyms.

Section 15

To ensure an equitable sharing of resources, users are forbidden from misusing, monopolizing or using IT resources for purposes other than those for which they are intended. In particular, it is forbidden to misuse the network, email service, data storage space and computer lab equipment.

Section 16

Users may be subject to restrictions or additional regulations that may be applied to resources and services, according to demand, priority use, availability or the application of sanctions.

Section 17

System administrators must manage IT resources in compliance with the law.
Section 18

System administrators must inform users of this Regulation and restrictions applying to the resources for which they are responsible.

Section 19

System administrators must respect the confidential nature of information stored by or belonging to users during all management procedures.

Section 20

System administrators must take adequate measures to allow users to work in an environment maximizing security and the confidentiality of information, subject to the restrictions set out in Section 24. 
Section 21

System administrators must at all times respect copyright, intellectual property rights and licences applying to the software, data or equipment for which they are responsible, subject to the restrictions set out in Section 24.

Section 22

System administrators must prevent the modification, corruption and illegal reproduction of the data, programs and software (including documentation) for which they are responsible.
Section 23

Systems administrators must inform Polytechnique Montréal’s IT security officer of any failure to comply with this Regulation and must assist with any necessary follow-up measures.
Section 24

In cases of procedures such as operational maintenance, system upgrades, troubleshooting, the redirection of improperly addressed email, and equipment repairs, as well as cases of emergency, or if Polytechnique Montréal suspects a breach of this Regulation, authorized personnel are entitled to access users’ data. This list is intended to be indicative rather than exhaustive. In any other circumstances, staff must notify the individual concerned and obtain his or her consent.

Section 25

Anyone failing to comply with this Regulation is subject to sanctions, in addition to fines established by law. After reviewing the facts, sanctions will be imposed by Polytechnique Montréal directors and will vary according to the seriousness, scope, recurrence and repetition of the acts committed.
These sanctions include:

• Cancellation of access rights to IT resources and services as described in this Regulation; users will be prohibited from using all or part of certain IT resources and services;
• Users will be charged for benefits or services obtained in an unauthorized manner;
• Users will be required to reimburse Polytechnique Montréal for all costs incurred by the latter following the unauthorized, fraudulent or illegal use of its IT resources or services;
• Disciplinary measures or other sanctions provided in Polytechnique Montréal regulations may apply.

Section 26

Any individual or organization with serious grounds to believe that they have not been rendered justice through the application of this Regulation may appeal the decision.

The appeal, justified in writing within thirty days of notification of the contested decision, must be submitted to the Secretary General, who will determine whether the reasons stated are sufficiently serious to warrant an appeal. If the latter judges that an appeal is warranted, it will be heard by an ad hoc committee whose members are appointed by the functional director of the unit to which the offender belongs. The committee will be made up of Polytechnique Montréal professors and students or staff members. The parties concerned have the right to be heard by the committee if they so desire.