Code of Conduct: IT@NYU
Individuals working in NYU information technology and related areas (indicated in this document as "covered individuals") at New York University, at its portal campuses and global academic centers, hold positions of trust. We operate and safeguard NYU’s central information technology assets, including networks, computers, telephones, access controls, information, and databases. We provide technology-related services that are vital to the smooth functioning of the University and to the members of the University community. In these roles, every one of us must adhere to the highest professional and ethical standards.
The Code of Conduct: IT@NYU applies to all covered individuals, including student employees, as well as to all others who work in information technology and related areas at NYU as contractors, temporary staff, visitors, or in any other capacity, on a full-time or part-time basis; it does not form a contract. Failure on anyone’s part to comply with these standards may lead to disciplinary action, up to and including dismissal, as well as referral, as appropriate, to authorities for legal action. NYU IT reserves the right to amend this Code of Conduct: IT@NYU at any time and without notice, in its sole, good faith, discretion.
The purpose of this document is to help all of us become and remain familiar with the Code of Conduct: IT@NYU. Seven guiding principles summarize the Code. Information about each principle is provided in related sections of the Code.
I. Stay familiar and comply with the policies, laws, and regulations that affect your NYU
II. Safeguard the confidentiality, privacy, and security of NYU communications
III. Safeguard the accuracy, privacy, and security of NYU data and records
IV. Safeguard NYU services, systems, premises, property, and equipment from damage, disruption, attack, or intrusion
V. Fulfill requests for information or to conduct investigations concerning NYU data or facilities
only with the express authorization of IT management as listed in the Appendix
VI. Abide by copyright and intellectual property policies and ownership agreements
VII. Prevent personal interests from influencing NYU business dealings
For clarification of any item in the document or of any related University policy, please consult your team leader, supervisor, manager, or director at your portal campus or global academic center (see Appendix to reference your particular location).
Guiding Principle: Stay familiar with and comply with the policies, laws, and regulations that affect your NYU responsibilities.
Relevant policies, laws, and regulations include, but are not limited to, the NYU Code of Ethical Conduct, NYU employment policies, and specific NYU information technology policies, as well as e-commerce law, copyright law, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Financial Services Modernization Act (GLBA), and trans-border mandates. In addition, different rules exist in other countries in which NYU has global programs that often diverge considerably from those in the United States.
With the increasing complexity and interdependence of job responsibilities across information technology at NYU and more broadly across NYU's educational community, as well as the continuing evolution of associated NYU policy and public policy, it can be a challenge to keep current. Individuals are helped to fulfill their obligations to remain current through information and links on the NYU IT and various other staff sites, briefings about relevant policies, laws, and regulations, as well as guidance and training available through NYUiLearn, Town Halls and other meetings, and departmental announcements.
Guiding Principle: Safeguard the confidentiality, privacy, and security of NYU communications.
The principle of privacy is addressed extensively in United States federal, state, and local laws, and in various laws in the foreign countries in which NYU has global locations. Federal law prohibits unauthorized disclosure of communications of any kind (voice, data, email, or other non-voice communication) transmitted over NYU's networks or the public or private networks that NYU utilizes, or even the fact that a transmission was sent or received.
- Keep confidential what you see and hear when handling transmissions that use voice, data, facsimile, and other technologies, as well as when on site visits providing any NYU information technology or related service. Information from any communication or the fact that a communication has taken place may not be used for your personal benefit or for the benefit of others.
- However, if you learn of an emergency involving immediate danger of fatality or serious injury, immediately contact the NYU Department of Public Safety (212-998-2222) and/or 911, or the appropriate Public Safety office at your global location. Then, immediately report that contact and the related information to NYU IT management, i.e., your immediate supervisor, or to the relevant individual for your location referenced in the Appendix to this Code.
- Except when explicitly authorized by information technology management, do not comply with any request for such information as:
- who is talking or has talked on a circuit;
- who communicates or has communicated by email or other electronic means;
- who transmits data to or from a particular location on NYU-NET or the Internet;
- the specific location a person or computer is transmitting to or receiving from;
- what has been communicated;
- the nature of the business being handled.
Refer to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code any subpoena or other request for information. (See Section V.)
- Keep unlisted phone extensions, email addresses, and related data confidential. Some telephone extensions, email addresses, and other data are not listed in University directories for specific reasons. Such information should not be disclosed, except when explicitly authorized by NYU IT management or the relevant individual for your location referenced in the Appendix to this Code.
- Listening to, reading, monitoring, recording voice or data communications, as well as permitting such behavior by others are all prohibited activities, except to the extent that you have been authorized to do so in the performance of your job.
- Making calls, sending email, or using any NYU account, database, or system via methods that fail to leave normal accounting records, logs, or like documentation, are prohibited. Third-party and collect charges to NYU telephone numbers are prohibited. It is against NYU policy to apply for a calling card billable to the University unless authorized to do so.
- Do not permit the installation or use of any device which permits anyone to listen to, record, observe, or access the content of any communication transmitted over the NYU network or observe that a communication has taken place, except if explicitly approved by NYU IT management. Any indication that someone has attempted to violate the privacy of a communication should be reported immediately to NYU IT management. Examples of this behavior include attempts to gain access to circuits or records, connect monitoring devices, obtain password files or network data, conduct unauthorized network sniffing, obtain unauthorized access to databases or services, or obtain billing information.
- Establishing unauthorized means to enable anyone to access University services is prohibited. Do not permit anyone to connect any device to NYU facilities unless you are authorized to do so and unless the device is connected in accordance with NYU IT practice, is installed in a safe manner, and is intended for legal use. Using a device or technique that manipulates or avoids billing arrangements to defraud the University is not allowed.
Guiding Principle: Safeguard the accuracy, privacy, and security of NYU data and records.
Accurate and reliable data are essential for University operations. Data kept on systems managed by NYU IT and/or serviced by individuals from NYU IT or related areas include a wide range of subjects and must be kept accurate and available for authorized purposes at all times. These data should be disclosed only to authorized University personnel with a legitimate need to know. See the Electronic Data and System Risk Classification Policy for guidance.
- Be vigilant in safeguarding records and data, including paper files and computerized records, and sensitive information on any sort of mobile device. Records containing sensitive information and data about individuals require especially attentive protection to safeguard individual privacy and to ensure their confidentiality, integrity, availability, and auditability.
- If the work you perform entails servicing computers owned by or assigned to other members of the University community, it is your responsibility to maintain the privacy, security, and integrity of the contents of the computer. You may not read, copy, or transmit any data or information found on that computer without the consent of the person responsible for the computer. Backups of the contents of the computer must be properly secured, in accord with practices approved by NYU IT management.
- Sensitive data should not be left in a public place where others may view them. Public places may include unattended fax machines or printers as well as your personal workspace. In an open workspace, take extra care to ensure that sensitive data are not left on an unattended computer screen or out in the open. Cabinets and computers that include these records must remain secured and accessed only for authorized purposes. All backups must be properly secured.
- The willful, unauthorized destruction, alteration, attempted destruction or alteration of NYU data, as well as making false entries or failing to make correct entries in NYU data, are violations of University policy and, in some instances, of the law.
- Report to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code anyone who tries or is suspected of trying to alter, destroy, steal, or obtain unauthorized access to records or data.
- Ensure proper disposal of data containing University information, whether recorded on paper, magnetic media, optical media, or any other format, and properly dispose of computers, multifunctional printers, or other electronic storage devices according to the NYU Asset Management requirements and the NYU Standard for Destruction and Disposal of Electronic Equipment and Data.
- Be mindful of the Electronic Data and System Risk Classification Policy, especially concerning High Risk data.
Guiding Principle: Safeguard NYU services, systems, premises, property, and equipment from damage, disruption, attack, or intrusion.
Information concerning the facilities, systems, and services that NYU IT and related areas plan, provide, or use could be of interest to someone who seeks to misuse or destroy them. Be careful to prevent inadvertent disclosure of sensitive information, including information about NYU's physical plant, plans for service, future construction, restoration procedures, and security procedures. Privileged access should not be breached. Report any violation or suspected violation to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code.
- Access to NYU information technology facilities, systems, and equipment is restricted to authorized NYU information technology staff, NYU personnel, consultants, and vendor personnel. Exercise extreme care to prevent unauthorized access to facilities, systems, and services and disclosure of data, passwords, identification media and information, and sensitive procedures. Loss or theft of keys or access devices used for entry into controlled-access areas should be reported immediately to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code. Covered individuals have a special responsibility to safeguard administrative access to systems and databases.
- If you learn of an emergency involving immediate danger to NYU facilities or encounter an unauthorized person in them, immediately contact the NYU Department of Public Safety (212-998-2222) or the appropriate Public Safety office at your portal campus or global location. Then immediately report that contact and the related information to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code. If you suspect that an NYU system has been breached, report it immediately to NYU IT Office of Information Security (email@example.com).
- Do not divulge sensitive information concerning NYU’s information technology plans, facilities, services, operating arrangements, or other internal activities to anyone, including another NYU employee, who is not authorized to know it. Locations of equipment, circuits, trunks, cables, and systems should not be shared with unauthorized persons. Do not display, disclose, or transmit information from or about security systems, including lock and surveillance systems, to anyone outside NYU information technology without permission from NYU IT management or from the relevant individual for your location referenced in the Appendix to this Code.
- Comply with building admissions procedures established by the NYU Department of Public Safety at each NYU location. Report to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code any attempts to enter controlled NYU information technology space by someone who may be unauthorized to do so.
- Covered individuals are responsible for the protection and integrity of equipment issued to them for on-campus or off-site use. Likewise, individuals are expected to apply prudent security measures to all personally-owned equipment that they use in support of NYU business. Policies covering the proper use of office and off-site equipment are issued periodically and must be followed.
Guiding Principle: Fulfill requests for information or to conduct investigations concerning NYU data or facilities only with the express authorization of NYU IT management.
- Any court order, warrant, or subpoena requesting such investigation or release of NYU records or information must be referred first to the Vice President, Information Technology & Global University Chief Information Officer or to the senior relevant individual for your location referenced in the Appendix to this Code, for consultation with University Counsel; you may not take individual action to comply with the request.
- Refer all requests from other NYU offices, or non-NYU organizations or individuals for information or investigations of records or facilities managed by NYU IT or related areas to the relevant individual for your location referenced in the Appendix to this Code for authorization; you may not take individual action to comply with the request.
Guiding Principle: Abide by copyright and intellectual property policies and ownership agreements.
Official statements about the use of copyrighted material at NYU, including the Statement of Policy on Intellectual Property effective July 1, 2012, are published on the University's Policies and Guidelines website. The Educational and Research Uses of Copyrighted Materials Policy Statement also may be reached through that site. NYU's copyright and intellectual property policies continue to evolve; NYU IT participates in the ongoing review.
Work products and software created by covered individuals working in NYU IT and related areas at NYU as part of their job responsibilities are owned by New York University.
- Except for internal use by NYU IT or related areas, any copyrighted materials, including copyrighted publications and vendor documentation should not be copied without the permission of the copyright owner. This includes manuals, newspapers, trade journals, magazines, and other publications, as well as copyrighted materials distributed in other media such as audio and video.
- It is NYU’s policy not to use software unless it has been properly licensed and paid for, and it is registered, as required, with the manufacturer. If copyrighted software is licensed to an individual, it is against policy to share it, even within the office.
- Software and work products, whether developed or customized by the University, are proprietary to NYU. They should not be shared with anyone outside of our workgroups without express permission of NYU IT management or the relevant individual for your location referenced in the Appendix to this Code. We recognize that sharing appropriate information with certain communities inside and outside the University can provide significant benefit in the pursuit of our duties. This guideline is not meant to preclude such normal and customary exchanges of information, including the sharing of code where appropriate and authorized. Nevertheless, it is expected that official copyright policies and guidelines will be observed.
- In general, in software acquisition agreements, NYU agrees not to take any action, such as reverse assembly or reverse compilation, to devise a source code equivalent of vendor software delivered in object code form. Such actions are therefore not permitted.
- Covered individuals, from time to time, may enter into specific non-disclosure agreements with vendors. We must act in accordance with these agreements, taking care to not disclose trade secrets, private, financial, technical, and business information.
- Except for publicly filed tariffs, the rates that NYU pays for services are typically proprietary. Do not disclose either the rates or the bills and invoices that reflect the rates unless authorized to do so by NYU IT management or the relevant individual for your location referenced in the Appendix to this Code.
Guiding Principle: Prevent personal interests from influencing NYU business dealings.
Be aware that relationships with a supplier might create a conflict of interest or might appear to impair independence of judgment on behalf of the University. Purchasing decisions should be made in accordance with the established policies and guidelines of NYU IT or the relevant offices for your location referenced in the Appendix to this Code and of the University. When in doubt, seek guidance from your immediate supervisor. (See also the NYU Buying & Paying website.)
- Maintaining certain interests outside of NYU IT and related areas while an individual fulfills fiscal responsibilities at NYU may potentially create a conflict of interest. Fiscal responsibilities include managing budgets, preparing budget recommendations, authorizing expenditures, managing contracts, and other financially influential responsibilities. Designated covered individuals with such responsibilities are expected to disclose potential conflicts of interest to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code.
- Exercise good judgment when negotiating purchases or contracts on behalf of the University. Avoid making such arrangements or commitments with any supplier or contractor with whom you have a personal interest, either direct or indirect, except under the express direction of NYU IT management or the relevant individual for your location referenced in the Appendix to this Code.
- No financial or contractual commitments for material or services may be made on behalf of the University, except with the express approval of NYU IT management or the relevant individual for your location referenced in the Appendix to this Code.
- In general, accepting or soliciting, even indirectly, gifts, loans, "kick-backs," special privileges, services, benefits, or unusual hospitality is not permitted. Exceptions can be made for promotional materials of nominal value, such as coffee mugs, calendars, tee shirts, and modest entertainment expenses such as a meal or ticket to an event. Gifts of large value, including extensive hospitality, should be reported to NYU IT management or to the relevant individual for your location referenced in the Appendix to this Code.
|Len Peters||Vice President, Information Technology & Global University Chief Information Officer|
||Associate Vice President, Research Technology and Chief Digital Officer|
||Associate Vice President, Digital Accessibility|
|Jeff Capuano||Associate Vice President, Global Infrastructure and Operations|
||Senior Associate Vice President, Institutional Solutions Group|
|Ben Maddox||Associate Vice President, Teaching & Learning Technologies, Chief Instructional Technology Officer|
|Annie Merkle||Associate Vice President, IT Strategy, Planning, and Engagement|
||Associate Vice President and Global University Chief Information Security Officer|
Associate Vice President, Business Services Office
NYU Abu Dhabi (NYUAD) IT
|Patrick O’Brien||Executive Director, Campus Technology Services|
||Associate Director, IT Services|
NYU Shanghai (NYUSH) IT
|Pan Chang||Director, Information Technology|
About This Policy
Effective Date Supersedes N/A Issuing Authority Vice President, Information Technology & Global University Chief Information Officer Responsible Officer Vice President, Information Technology & Global University Chief Information Officer