Skip Navigation
Forum Unified Education Technology Suite
  Home:  Acknowledgments and Introduction
  Part 1:  Planning Your Technology Initiatives
  Part 2:  Determining Your Technology Needs
  Part 3:  Selecting Your Technology Solutions
  Part 4:  Implementing Your Technology
  Part 5:  Safeguarding Your Technology
  Part 6:  Maintaining and Supporting Your Technology
  Part 7:  Training for Your Technology
  Part 8:  Integrating Your Technology
  Appendix A: Sample
Acceptable Use
Agreements and Policies
  Appendix B: FERPA Fact Sheet
  Appendix C: Web Guidelines
  Appendix D: Sample Security Agreements
  List of Tables and Figures
    Powerpoint Overview (700KB)
NCES Webmaster
Appendix A: Sample Acceptable Use Agreements and Policies

Sample Acceptable Use Agreement for Internet and Other Electronic Resources

(courtesy of the Rochester School Department, Rochester, New Hampshire)

The [Name of Organization] recognizes the value of computer and other electronic resources to improve student learning and enhance the administration and operation of its schools. To this end, the [Governing Body Name] encourages the responsible use of computers; computer networks, including the Internet; and other electronic resources in support of the mission and goals of the [Name of Organization] and its schools.

Because the Internet is an unregulated, worldwide vehicle for communication, information available to staff and students is impossible to control. Therefore, the [Governing Body Name] adopts this policy governing the voluntary use of electronic resources and the Internet in order to provide guidance to individuals and groups obtaining access to these resources on [Name of Organization]-owned equipment or through [Name of Organization]-affiliated organizations.

[Name of Organization] Rights and Responsibilities

It is the policy of the [Name of Organization] to maintain an environment that promotes ethical and responsible conduct in all online network activities by staff and students. It shall be a violation of this policy for any employee, student, or other individual to engage in any activity that does not conform to the established purpose and general rules and policies of the network. Within this general policy, the [Name of Organization] recognizes its legal and ethical obligation to protect the well-being of students in its charge. To this end, the [Name of Organization] retains the following rights and recognizes the following obligations:

  1. To log network use and to monitor fileserver space utilization by users, and assume no responsibility or liability for files deleted due to violation of fileserver space allotments.
  2. To remove a user account on the network.
  3. To monitor the use of online activities. This may include real-time monitoring of network activity and/or maintaining a log of Internet activity for later review.
  4. To provide internal and external controls as appropriate and feasible. Such controls shall include the right to determine who will have access to [Name of Organization]-owned equipment and, specifically, to exclude those who do not abide by the [Name of Organization]'s acceptable use policy or other policies governing the use of school facilities, equipment, and materials. [Name of Organization] reserves the right to restrict online destinations through software or other means.
  5. To provide guidelines and make reasonable efforts to train staff and students in acceptable use and policies governing online communications.

Staff Responsibilities

  1. Staff members who supervise students, control electronic equipment, or otherwise have occasion to observe student use of said equipment online shall make reasonable efforts to monitor the use of this equipment to assure that it conforms to the mission and goals of the [Name of Organization].
  2. Staff should make reasonable efforts to become familiar with the Internet and its use so that effective monitoring, instruction, and assistance may be achieved.

User Responsibilities

  1. Use of the electronic media provided by the [Name of Organization] is a privilege that offers a wealth of information and resources for research. Where it is available, this resource is offered to staff, students, and other patrons at no cost. In order to maintain the privilege, users agree to learn and comply with all of the provisions of this policy.

Acceptable Use

  1. All use of the Internet must be in support of educational and research objectives consistent with the mission and objectives of the [Name of Organization].
  2. Proper codes of conduct in electronic communication must be used. In news groups, giving out personal information is inappropriate. When using e-mail, extreme caution must always be taken in revealing any information of a personal nature.
  3. Network accounts are to be used only by the authorized owner of the account for the authorized purpose.
  4. All communications and information accessible via the network should be assumed to be private property.
  5. Subscriptions to mailing lists and bulletin boards must be reported to the system administrator. Prior approval for such subscriptions is required for students and staff.
  6. Mailing list subscriptions will be monitored and maintained, and files will be deleted from the personal mail directories to avoid excessive use of fileserver hard-disk space.
  7. Exhibit exemplary behavior on the network as a representative of your school and community. Be polite!
  8. From time to time, the [Name of Organization] will make determinations on whether specific uses of the network are consistent with the acceptable use practice.

Unacceptable Use

  1. Giving out personal information about another person, including home address and phone number, is strictly prohibited.
  2. Any use of the network for commercial or for-profit purposes is prohibited.
  3. Excessive use of the network for personal business shall be cause for disciplinary action.
  4. Any use of the network for product advertisement or political lobbying is prohibited.
  5. Users shall not intentionally seek information on, obtain copies of, or modify files, other data, or passwords belonging to other users, or misrepresent other users on the network.
  6. No use of the network shall serve to disrupt the use of the network by others. Hardware and/or software shall not be destroyed, modified, or abused in any way.
  7. Malicious use of the network to develop programs that harass other users or infiltrate a computer or computing system and/or damage the software components of a computer or computing system is prohibited.
  8. Hate mail, chain letters, harassment, discriminatory remarks, and other antisocial behaviors are prohibited on the network.
  9. The unauthorized installation of any software, including shareware and freeware, for use on [Name of Organization] computers is prohibited.
  10. Use of the network to access or process pornographic material, inappropriate text files (as determined by the system administrator or building administrator), or files dangerous to the integrity of the local area network is prohibited.
  11. The [Name of Organization] network may not be used for downloading entertainment software or other files not related to the mission and objectives of the [Name of Organization] for transfer to a user's home computer, personal computer, or other media. This prohibition pertains to freeware, shareware, copyrighted commercial and non-commercial software, and all other forms of software and files not directly related to the instructional and administrative purposes of the [Name of Organization].
  12. Downloading, copying, otherwise duplicating, and/or distributing copyrighted materials without the specific written permission of the copyright owner is prohibited, except that duplication and/or distribution of materials for educational purposes is permitted when such duplication and/or distribution would fall within the Fair Use Doctrine of the United States Copyright Law (Title 17, USC).
  13. Use of the network for any unlawful purpose is prohibited.
  14. Use of profanity, obscenity, racist terms, or other language that may be offensive to another user is prohibited.
  15. Playing games is prohibited unless specifically authorized by a teacher for instructional purposes.
  16. Establishing network or Internet connections to live communications, including voice and/or video (relay chat), is prohibited unless specifically authorized by the system administrator.


  1. The [Name of Organization] cannot be held accountable for the information that is retrieved via the network.
  2. Pursuant to the Electronic Communications Privacy Act of 1986 (18 USC 2510 et seq.), notice is hereby given that there are no facilities provided by this system for sending or receiving private or confidential electronic communications. System administrators have access to all mail and will monitor messages. Messages relating to or in support of illegal activities will be reported to the appropriate authorities.
  3. The [Name of Organization] will not be responsible for any damages you may suffer, including loss of data resulting from delays, non-deliveries, or service interruptions caused by our own negligence or your errors or omissions. Use of any information obtained is at your own risk.
  4. The [Education Agency Name] makes no warranties (expressed or implied) with respect to:
    • the content of any advice or information received by a user, or any costs or charges incurred as a result of seeing or accepting any information; and
    • any costs, liability, or damages caused by the way the user chooses to use his or her access to the network.
  5. The [Name of Organization] reserves the right to change its policies and rules at any time.

User Agreement (to be signed by all adult users and student users above grade 5)

I have read, understand, and will abide by the above Acceptable Use Policy when using computer and other electronic resources owned, leased, or operated by the [Name of Organization]. I further understand that any violation of the regulations above is unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked, school disciplinary action may be taken, and/or appropriate legal action may be initiated.

User Name (please print)


User Signature Date

Parent Agreement (to be signed by parents of all student users under the age of eighteen)

As parent or guardian of [please print name of student] __________________________, I have read the Acceptable Use Policy. I understand that this access is designed for educational purposes. [Name of Organization] has taken reasonable steps to control access to the Internet, but cannot guarantee that all controversial information will be inaccessible to student users. I agree that I will not hold the [Name of Organization] responsible for materials acquired on the network. Further, I accept full responsibility for supervision if and when my child's use is not in a school setting. I hereby give permission for my child to use network resources, including the Internet, that are available through [Name of Organization].

Parent Name (please print)


Parent SignatureDate

Sample Electronic Mail Policy

(courtesy of the Rhode Island Department of Education)

User Responsibilities

These guidelines are intended to help you make the best use of the electronic mail facilities at your disposal. You should understand the following:

  1. The agency provides electronic mail to staff members to enable them to communicate effectively and efficiently with other members of staff, other companies, and partner organizations.
  2. When using the agency's electronic mail facilities you should comply with the following guidelines.
  3. If you are in any doubt about an issue affecting the use of electronic mail, you should consult the IT Services Manager.
  4. Any breach of the agency's Electronic Mail Policy may lead to disciplinary action.


  1. Do check your electronic mail daily to see if you have any messages.
  2. Do include a meaningful subject line in your message.
  3. Do check the address line before sending a message and confirm you are sending it to the right person.
  4. Do delete electronic mail messages when they are no longer required.
  5. Do respect the legal protections to data and software provided by copyrights and licenses.
  6. Do take care not to express views that could be regarded as defamatory or libelous.
  7. Do use an "out of the office assistant" to automatically reply to messages when you are not available.


  1. Do not print electronic mail messages unless absolutely necessary.
  2. Do not expect an immediate reply; recipients might not be at their computer or could be too busy to reply straight away.
  3. Do not forward electronic mail messages sent to you personally to others, particularly newsgroups or mailing lists, without the permission of the originator.
  4. Do not use electronic mail for personal reasons.
  5. Do not send excessively large electronic mail messages or attachments.
  6. Do not send unnecessary messages such as festive greetings or other non-work items by electronic mail, particularly to multiple people.
  7. Do not participate in chain or pyramid messages or similar schemes.
  8. Do not represent yourself as another person.
  9. Do not use electronic mail to send or forward material that could be construed as confidential, political, obscene, threatening, offensive, or libelous.

Please note the following:

  1. All electronic mail activity is monitored and logged.
  2. All electronic mail coming into or leaving the organization is scanned for viruses.
  3. All the content of electronic mail is scanned for offensive material.

Sample Dial-In Access Policy

(courtesy of Rhode Island Department of Education)

1. Purpose

The purpose of this policy is to protect [Name of Organization]'s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.

2. Scope

The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.

3. Policy

[Name of Organization] employees and authorized third parties (customers, vendors, etc.) are permitted to use dial-in connections to gain access to the corporate, or agency, network. Dial-in access should be strictly controlled, using one-time password authentication. Dial-in access should be requested using the corporate account request process. It is the responsibility of employees with dial-in access privileges to ensure that a dial-in connection to [Name of Organization] is not used by non-employees to gain access to company information system resources. Employees who are granted dial-in access privileges must remain constantly aware that dial-in connections between their location and [Name of Organization] are literal extensions of [Name of Organization]'s corporate network, and that they provide a potential path to the organization's most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect [Name of Organization]'s assets. Analog and non-GSM digital cellular phones cannot be used to connect to [Name of Organization]'s corporate network, as their signals can be readily scanned and/or hijacked by unauthorized individuals. Only GSM standard digital cellular phones are considered secure enough for connection to [Name of Organization]'s network. For additional information on wireless access to the [Name of Organization] network, consult the Wireless Communications Policy.

Note: Dial-in accounts are considered to be "as needed" accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months, the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.

4. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment.

Sample Password Policy

(courtesy of the Rhode Island Department of Education)

1. Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of [Name of Organization]'s entire network. As such, all employees (including contractors and vendors with access to [Name of Organization] systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2. Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

3. Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any [Name of Organization] facility, has access to the [Name of Organization] network, or stores any non-public [Name of Organization] information.

4. Policy

  1. All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
  2. All user-level passwords (e.g., e-mail, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months.
  3. Each successive password must be unique. Re-use of the same password will not be allowed.
  4. Passwords must be a minimum of eight (8) characters long.
  5. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
  6. Passwords must not be inserted into e-mail messages or other forms of electronic communication.
  7. Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of "public," "private," and "system," and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
  8. All user-level and system-level passwords must conform to the guidelines described below.
  9. Passwords should never be written down or stored online.

4.1 Password Construction Guidelines

Passwords are used for various purposes at the [Name of Organization]. Some of the more common uses include: user-level accounts, web accounts, e-mail accounts, screen saver protection, voice-mail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

  1. Poor (unacceptable) passwords have the following characteristics:
    1. The password contains fewer than eight characters.
    2. The password is a word found in a dictionary (English or foreign).
    3. The password is a common usage word such as:
    • names of family, pets, friends, co-workers, fantasy characters, etc.
    • computer terms and names, commands, sites, companies, hardware, software
    • acronyms for the agency or city
    • birthdays and other personal information such as addresses and phone numbers
    • word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
    • any of the above spelled backwards
    • any of the above preceded or followed by a digit (e.g., secret1, 1secret)
  2. Strong (acceptable) passwords have the following characteristics:
    1. Contain both upper and lowercase characters (e.g., a?z and A?Z).
    2. Have digits and punctuation characters as well as letters (e.g., 0?9 and !@#$%^&*()_+|~-=\`{}[]:";í<>?,./).
    3. Are at least eight alphanumeric characters long.
    4. Are not a word in any language, slang, dialect, jargon, etc.
    5. Are not based on personal information, names of family, etc.
    6. Can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!)

4.2 Password Protection Standards

  1. Do not use the same password for [Name of Organization] accounts as for other non-[ Name of Organization] access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for the various [Name of Organization] access needs. For example, select one password for the e-mail systems and a separate password for network systems. Also, select a separate password to be used for an NT account and a UNIX account.
  2. Do not share agency passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential [Name of Organization] information.
  3. If someone demands a password, refer them to this document or have them call someone in the Office of Network and Information Systems.
  4. Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
  5. Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
  6. Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months.
  7. If an account or password is suspected to have been compromised, report the incident to the Office of Network and Information Systems and change all passwords.
  8. The Office of Network and Information Systems or its delegates may perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user will be required to change it.

4.3 Application Password Development Standards

Application developers must ensure their programs contain the following security precautions:

  1. Applications should support authentication of individual users, not groups.
  2. Applications should not store passwords in clear text or in any easily reversible form.
  3. Applications should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
  4. Applications should support TACACS+, RADIUS, and/or X.509 with LDAP security retrieval, wherever possible.

4.4 Use of Passwords and Pass-Phrases for Remote Access Users

Access to the [Name of Organization] networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong pass-phrase.

Pass-phrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all and the private key that is known only to the user. Without the pass-phrase to "unlock" the private key, the user cannot gain access.

Pass-phrases are not the same as passwords. A pass-phrase is a longer version of a password and is, therefore, more secure. A pass-phrase is typically composed of multiple words. Because of this, a pass-phrase is more secure against "dictionary attacks." A good pass-phrase is relatively long and contains a combination of upper- and lowercase letters and numeric and punctuation characters. An example of a good pass-phrase is:


All of the rules above that apply to passwords apply to pass-phrases.

5. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action and loss of network privileges.

6. Definitions

Application Administration Account: Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).

Previous Page -- Part 8 Next Page -- Appendix B: FERPA Fact Sheet