IT Code of Computing Ethics
Upon hire and once every year, all Information Technology (IT) division employees must agree to the IT Code of Computing Ethics. This agreement codifies IT standards of ethical conduct for system operation and data handling at Pepperdine University.
In addition to IT division employees, Information Technology may also require other University employees to sign and agree to this code of conduct in order to obtain extended or administrative access to select systems or data.
The IT division of Pepperdine University is committed to protecting the integrity of our profession while promoting the University's mission and preserving the community's confidence in our services. In alignment with these commitments, all IT employees, along with all other University employees, adhere to the University Code of Ethics Policy which affirms an ongoing commitment to ethical and honorable professional behavior.
Because of our unique responsibilities, all IT division employees (full-time and part-time, including temporary employees and student workers) are expected to adhere to the IT Code of Computing Ethics (herein referred to as "code of conduct") which is intended to protect the privacy, use, and security of University information. This code of conduct serves not only to inform our employees of their special responsibilities with regard to security and privacy matters, but also to provide the University community with an understanding of our commitment as custodians of information resources.
This code of conduct applies to all Pepperdine University data regardless of where it is stored. This code of conduct applies irrespective of where University IT resources are accessed and used, including remote work use.
IT Code of Computing Ethics
- Employees must comply with all University information security policies and IT standards and procedures.
- Employees are to maintain and respect the confidentiality and privacy of information
obtained through professional activities, disclosing information only when required
to meet professional or legal obligations or where written consent has been granted
by the owner of the information.
- Information identified as confidential by the presenter at University meetings or functions may not be disseminated to the public, without the express written permission of the author of that information, or used in any way for unethical advantage. Examples include materials presented by the IT or University management, presentations protected by the attorney-client privilege, and other documents or presentations specifically noted as confidential.
- In the course of their responsibilities, employees may require access to confidential and restricted data. Employees may disclose such data only to those authorized to obtain it by the Information Technology division or as required by law. Employees with system administrative rights must treat all data contained within those systems as private University data, and only access, use, or disclose such data in furtherance of assigned duties.
- Programs, files, emails, telecommunication logs, and any other data belonging to others will not be accessed, altered, or copied without prior authorization from the owner (unless required by law). Routine maintenance and official security review is exempted from this requirement. In most cases where system integrity is an issue, immediate intervention may be taken. Such intervention must be limited in scope and must be reported to the IT employee's respective director as soon as practical. Except as necessary to perform assigned duties, system/application data should not be divulged unless permission is granted by the owner. Authorization from the owner must be in writing, unless an exception is authorized by the Chief Information Officer or his/her designee.
- Data and information that is addressed by various privacy laws (e.g., Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA)) shall be protected from disclosure and handled in accordance with those laws.
- Computer and telecommunications accounts are to be used only by the authorized user of the account. Accounts are to be used only to support the completion of assigned duties as an employee.
- Incidental personal use of computing resources is permitted only as defined in the Computer and Network Responsible Usage Policy and may be limited by other published standards (e.g. "remote work agreement," department policies, etc) or supervisor directives.
- NetworkID accounts, whether for individuals, batch programs, or system services, must only be created and managed by the Server Engineering group. Fully automated processes approved by Server Engineering may also create NetworkID accounts, but changes may not be put into production without prior approval from the manager of Server Engineering. IT employees outside Server Engineering are not to create NetworkID accounts for any reason, nor are they to elevate the network domain privileges of any NetworkID account unless requested in writing by the Director of Systems and Networking or one of his/her superiors.
- Passwords are not to be shared with any other individual. Each employee is responsible for selecting and changing his or her password(s) in accordance with the Strong Password Guidelines for Pepperdine University (https://mypassword.pepperdine.edu). Employees must use a password manager approved by the Information Security Office. Employees will not ask University community members and constituents to disclose their passwords to anyone. If the requested service is impossible to provide without the customer's password, the customer must be directed to change the password as soon as the IT employee has completed the requested service.
- To safeguard the integrity of the University’s information systems, all employees must adopt the multi-factor authentication (MFA) services required by the Information Technology division. The adoption of MFA, encryption, or other security services that would prevent all appropriate enterprise access to University systems or data in the absence of the employee's presence or consent shall not be employed.
- Employees must act with due professional care to observe applicable technical standards and guidelines (as established within documented IT security policies). They must be diligent in planning, supervising, and performing all activities for which they have assumed responsibility.
- Individuals witnessing any violation of this code of conduct must bring this matter to the attention of an appropriate IT officer immediately (CIO or Directors).
Code Last Updated: September 22, 2022