ITS Security Policy 200b – AUP (Acceptable Use Policies) Use of IT Resources for Students

Tags security AUP

Status: Final
Last Revision Date: May 20, 2025

Statement of Purpose

The Clackamas Community College (CCC) Student Acceptable Use Policy (AUP) establishes guidelines for the proper use of CCC Electronic Information Resources by students. This policy is designed to meet current regulatory requirements, protect sensitive information, and ensure the security and integrity of CCC's IT infrastructure while supporting academic pursuits and student success.

Policy Summary

This AUP establishes guidelines for the proper use of CCC Electronic Information Resources by all students. The policy aims to:

  • Ensure CCC operates in compliance with state and federal laws and regulations, including FERPA, HIPAA, PCI DSS, and Oregon public records law.

  • Protect Controlled Sensitive Data from unauthorized disclosure, ensuring compliance with the 2025 NIST Privacy Framework and Cybersecurity Framework 2.0.

  • Maintain the security, trustworthiness, and integrity of CCC's technological infrastructure.

  • Define responsibilities for students regarding the use of CCC Electronic Information Resources.

  • Support the efficient operation of CCC's technological environment for authorized academic activities.

This AUP applies to all individuals enrolled at CCC—whether credit- or non-credit-seeking—and to any other individuals accessing CCC Electronic Information Resources as a student or in a student-related capacity. Students are responsible for complying with this AUP when using CCC resources or when actively engaging in college coursework or activities.

Compliance with this AUP is mandatory. Failure to comply may result in disciplinary action in accordance with the CCC Student Code of Conduct and may lead to suspension of access privileges or other actions as appropriate.

Policy

1. General Use

1.1 Basic Requirements

  • The use of CCC Electronic Information Resources shall comply with applicable laws, regulations, and policies.

  • Users shall respect the privacy of other individuals, including others' digital content.

  • Users shall not intentionally disrupt the computing environment or obstruct the work of other users.

  • Users shall not interfere with authorized user access to CCC Electronic Information Resources.

  • Users shall not deny service to any other authorized user of CCC Electronic Information Resources.

  • Users shall not circumvent authentication mechanisms or security controls.

  • Users shall not engage in malicious behavior.

1.2 Prohibited Activities

  • Users shall not intentionally introduce malicious software into the network or otherwise cause security breaches or disruptions of network communications.

  • Users shall not install hardware devices or develop, download, or use software or other methods with the intent to gain unauthorized access to CCC Electronic Information Resources.

  • Users shall not participate in illegal or unauthorized peer-to-peer file sharing (e.g., Torrent).

  • Users shall not engage in any "Dark Web" activities, including hosting (e.g., Onion routers) or browsing (e.g., TOR browser).

  • Users shall not use CCC Electronic Information Resources for crypto mining (e.g., Bitcoin mining).

  • CCC Electronic Information Resources shall not be used for commercial or non-College academic or administrative purposes unless specifically authorized by other College policies or by the College President.

  • CCC Electronic Information Resources shall not be used to endorse any political candidate or ballot initiative unless specifically authorized by other College policies or by the College President.

1.3 Reporting Violations

  • Users observing policy violations shall report the activity to a lab assistant, lab coordinator, or course instructor.

  • If the violation poses an immediate risk to Controlled Sensitive Data, users shall contact the ITS Department or College Safety immediately.

  • Security incidents must be reported within 72 hours, as required by 2025 cybersecurity regulations.

2. Accounts and Authentication

2.1 Credentials and Authentication

  • For the purposes of this section, credentials shall include any data used to authenticate the identity of an individual, including usernames, passwords, PINs, access cards, MFA tokens, biometric data, and digital certificates.

  • Multifactor authentication (MFA) is required for all accounts accessing CCC systems containing Controlled Sensitive Data, in compliance with 2025 cybersecurity standards.

2.2 Account Provisioning and Terms of Use

  • CCC credentials and accounts are provided at the discretion of the College and are subject to the following terms of use:

    • The College has a legal obligation to access and provide any data stored on its systems if requested as part of litigation (eDiscovery).

    • Authorized personnel may inspect any data transmitted or stored using CCC Electronic Information Resources.

    • After two years of non-enrollment, all user credentials shall be disabled.

2.3 Student Account Management

  • Student email accounts shall be created at the time of admission and deactivated if any of the following criteria are met:

    • Inactivation occurs after two consecutive years of non-enrollment in a course for credit students.

    • Inactivation occurs after two consecutive years of non-enrollment for non-credit students.

    • Inactivation occurs at the request of the student.

  • Students are encouraged to back up important personal data to alternate storage media before account inactivation.

2.4 Password and Credential Security

  • Users shall protect their passwords and secure College Electronic Information Resources against unauthorized use or access.

  • Users shall not use their College-provided credentials as their login for personal accounts.

  • Passwords used for College accounts shall be unique to the College and meet current complexity requirements as defined by the ITS department.

  • Users shall not share or otherwise provide access to their College credentials to another individual.

  • Users shall not use another user's credentials or attempt to capture, surveil, or guess another user's credentials.

  • Users shall not use their College credentials for personal purposes with third-party websites or services.

3. Computing Devices and Resources

3.1 Acceptable Use of Computing Resources

  • Users shall only access College Electronic Information Resources they are authorized to use.

  • Users shall only use College Electronic Information Resources for their intended purpose and in support of authorized academic or administrative activities.

  • Incidental personal use is acceptable provided that such use:

    • Complies with all other policies set forth within this AUP.

    • Does not incur additional cost or expense to the College.

    • Does not interfere with the performance or availability of College Electronic Information Resources.

  • All personal use of CCC Electronic Information Resources shall be at the user's risk; CCC shall not be responsible for loss of access, theft, public disclosure, or breach of data accessed for personal use.

3.2 Device Management

  • Users shall not physically remove College Electronic Information Resources from College premises, except for mobile devices, laptops, and other technologies provided to support remote learning initiatives with proper authorization.

  • Users shall be individually responsible for the appropriate use of their College account and any College Electronic Information Resources under their control.

  • College Electronic Information Resources shall be surrendered upon request.

  • Users shall not use College Electronic Information Resources to host unauthorized web content.

3.3 Public Computing Resources

  • Users shall restart or shut down computers after use to minimize the risk of personal data exposure to subsequent users.

  • The College provides accessibility stations for individuals with special requirements. Anyone may use an accessibility station if available, but users without special needs shall yield access to those who do when asked.

  • Classroom and public access computers are used by many users, increasing the possibility of malware. Use these computers to access personal data at your own risk.

4. Portable Storage Devices

  • The use of portable storage devices, such as a USB thumb drive, is permitted.

  • Users shall not connect any unknown portable storage device to any College technological resource. If such a device is found, report the incident to appropriate staff or the ITS department.

  • Portable storage devices containing Controlled Sensitive Data must be encrypted using approved methods that meet 2025 standards and must be securely wiped before repurposing.

5. Network Access and Security

5.1 Device Evaluation

  • Users consent to programmatic evaluation of any computer or mobile device attached to CCC networks, including personally owned devices.

  • Scanning of personally owned devices shall be conducted only to determine if the device meets cybersecurity requirements established by the ITS Security team.

  • Users shall not perform unauthorized scanning or enumeration activities of CCC Electronic Information Resources or personally owned devices connected to CCC networks.

5.2 Network Access Rules

  • CCC provides publicly accessible Wi-Fi for campus guests and visitors. The public Wi-Fi network is an open network, and the user assumes all risk of use.

  • Students shall not connect any device to CCC's wired networks unless specifically instructed to do so by ITS staff.

  • Students shall not remove any device from CCC's wired networks unless specifically instructed to do so by ITS staff.

  • Students shall not move or relocate CCC Electronic Information Resources unless specifically instructed to do so by ITS staff, with exceptions for resources used to support remote learning initiatives.

5.3 Security Measures

  • All devices connected to CCC networks must have current security patches and anti-malware protection.

  • Network traffic may be monitored for security threats and policy compliance.

  • Any suspicious network activity must be reported to the ITS Department.

6. Electronic Communications

6.1 General Requirements

  • Electronic communications systems are provided to CCC students to support academic outcomes.

  • Incidental personal use is permitted to the extent approved by CCC's board of directors.

  • Electronic communication shall comply with all other communication-related policies, procedures, and standards set forth by the College.

  • All electronic communications using the College's systems shall be conducted lawfully, respectfully, and professionally.

6.2 Email Use

  • Email communications with College staff shall be conducted using the College-provided email address, except when the account has not yet been provided or when account access has been restricted or removed.

  • No student shall claim to represent the College using any electronic communication mechanism unless officially authorized.

  • Users shall not use CCC's electronic communications systems in a manner that restricts or inhibits other users from using CCC Electronic Information Resources.

6.3 Email Security

  • Users shall exercise extreme caution when opening attachments or clicking links in emails from unknown senders.

  • Email or other electronic communications suspected of containing malicious content shall be reported to the CCC's ITS Security team.

  • Users shall not attempt to forge email headers or alter the 'sender from' data of an email (spoofing).

  • Mass mailings are discouraged for individual email accounts. Exceeding daily sending limits will result in the account being barred from sending additional email.

7. BYOD (Bring Your Own Device)

7.1 Personal Device Use

  • Use of BYOD is subject to all other CCC policies.

  • CCC students have access to the Student Wi-Fi network, which requires authentication using CCC credentials.

  • Use of the Student network may require installing certificates and/or software agents on the BYOD device. By using the Student network, the user agrees to these terms.

  • BYOD devices shall not be connected to CCC's wired networks.

7.2 Device Security Requirements

  • Users connecting personally owned devices to CCC's wireless networks shall ensure that the device is patched, free of malware, and not rooted or jailbroken.

  • BYOD devices failing to comply with acceptable use policies may be removed from the network and banned from reconnecting.

  • Student-owned devices should employ encryption for sensitive data in accordance with 2025 security standards.

8. Privacy and Network Monitoring

8.1 Privacy Expectations

  • Students shall have no expectation of privacy in anything they store, send, or receive using CCC Electronic Information Resources.

  • All data stored on CCC Electronic Information Resources is a public record under Oregon law and subject to disclosure unless exempted by law.

  • Students shall have no expectation of privacy when using CCC's Electronic Communication Systems.

8.2 System Monitoring

  • Electronic Communication Systems owned and operated by CCC are monitored to maintain functionality and prevent malicious activities.

  • Data collected from monitoring may be disclosed to CCC employees responsible for operating systems and preventing malicious activity, and to appropriate authorities as required by law.

  • Data monitoring practices comply with the 2025 NIST Privacy Framework to balance security needs with privacy protections.

9. Intellectual Property and Copyright

9.1 Copyright Compliance

  • Users shall not violate the rights of any person or company protected by copyright, trade secrets, patents, or other intellectual property laws or regulations.

  • This prohibition includes the installation or distribution of "pirated" or other software products not licensed for use by the College.

9.2 License Compliance

  • Users shall abide by the terms of any licenses, contracts, or agreements into which they or the College have entered regarding the use of intellectual property.

  • Software usage must comply with all licensing terms.

Exemptions

Users may use copyrighted or otherwise legally restricted materials as permissible under fair use and other essential exemptions from copyright law (e.g., classroom exemption). It is the responsibility of the user to understand these exemptions and ensure their particular usage falls within legal parameters.

Exceptions

Exceptions to this policy may be granted only in extraordinary circumstances and must be approved in writing by the CIO/CISO. Students seeking an exception should work with their instructor or academic advisor to submit a formal request to the ITS Department.