ITS Security Policy 200 – AUP (Acceptable Use Policies) Use of IT Resources for Students

Tags security AUP

CCC Staff
Acceptable Use Agreement

Introduction

 

 

Purpose and Applicability

The purpose of the Clackamas Community College (CCC) Acceptable Use Policy (AUP) is to establish acceptable practices regarding the use of CCC Technological Resources.

The practices within this policy:

  1. ensure CCC operates in a manner that complies with state law, federal law, and applicable regulations
  2. protect Controlled Sensitive Data from unauthorized disclosure to the public or to entities that would wish to do harm to CCC
  3. ensure data and Technological Resources are trustworthy and safe to use
  4. ensure accessibility to authorized data and Technological Resources

This AUP applies to all entities (hereafter referred to as “staff”) that provide services for CCC whether paid or unpaid; inclusive of full-time and part-time classified employees, full-time faculty, associate faculty, unpaid instructors, volunteers, Federal Work Study employees, students in Cooperative Work Experience (CWE) programs, student government officers, tutors, interns, administrative staff, temporary employees and/or staff hired via a staffing agency, and partner organizations that provide community services using the Technological Resources owned and managed by CCC. 

CCC Staff are responsible for complying with CCC’s AUP when using CCC Technological Resources and/or when actively performing services on behalf of CCC. Failure to comply may result in disciplinary action per applicable contract/employee agreement.

 

Errata

This Acceptable Use Policy document is prepared and distributed by the ITS Department of Clackamas Community College. If you identify any error, omission, or other issue with this publication please create a support request containing the specific area of concern and the reason for the report.

 

 

Policy Statements

 

 

General

  1. The use of CCC Technological Resources shall comply with applicable laws, regulations, and policies
  2. Users shall respect the privacy of other individuals, including others’ digital content
  3. Users shall not intentionally disrupt the computing environment or obstruct the work of other users
  4. Users shall not interfere with authorized user access to CCC Technological Resources
  5. Users shall not deny service to any other authorized user of CCC Technological Resources
  6. Users shall not circumvent authentication mechanisms or security controls
  7. Users shall not engage in malicious behavior
  8. Users shall not intentionally introduce malicious software into the network, or in any other way intentionally cause security breaches or disruptions of network communications.
  9. Users shall not install hardware devices or otherwise, develop, download, and/or use software or other methods with the intent to gain unauthorized access to CCC Technological Resources, disrupt other computer or network users, damage/degrade the performance of CCC Technological Resources, or eavesdrop on other users.
  10. Users shall not participate in illegal or unauthorized peer-to-peer file sharing (e.g. Torrent)
  11. Users shall not engage in any “Dark Web” activities, including (but not limited to) hosting (e.g. Onion routers) and browsing (e.g. TOR browser)
  12. Users shall not use CCC Technological Resources for crypto mining (e.g. Bitcoin mining)
  13. CCC Technological Resources shall not be used for commercial or non-CCC academic or administrative purposes unless specifically authorized by other College policies or by the College President.
  14. CCC Technological Resources shall not be used for the endorsement of any political candidate or ballot initiative unless specifically authorized by other College policies or by the College President.
  15. Violations of any policy within this AUP shall be reported.
    1. The user observing the policy violation shall report the activity to their immediate supervisor unless the immediate supervisor is responsible for the violation. In this instance the user shall report the violation to the CIO/CISO
    2. If the violation poses an immediate risk of compromise to Controlled Sensitive Data contact the ITS Department or College Safety

 

 

Accounts

For the purposes of this section credentials shall include any data used to authenticate the identity of an individual and includes username and password (including password hashes), PIN numbers, access cards, MFA tokens, biometric data (i.e. fingerprints), and digital certificates.

  1. CCC credentials and accounts are provided at the discretion of CCC and subject to the following terms of use:
    1. CCC has a legal obligation to access and provide any data (personal or otherwise) stored on CCC systems requested as part of litigation (eDiscovery)
    2. Authorized personnel may inspect any data transmitted or stored using CCC Technological Resources. This includes (but is not limited to) equipment, files, and CCC email
    3. Upon separation all user credentials shall be disabled and users shall no longer have access to the contents of their mailboxes, file, or folders contained on CCC Technological Resources, affiliated 3rd party resources, or other CCC accounts
  2. CCC credentials and system accounts are provisioned based on user type:
    1. Employee Accounts: Access to CCC Technological Resources is provided only while user is employed by CCC
    2. Student Accounts: Student email accounts shall be created at the time of admission and deactivated if any of the following criterion are met (Note: students are encouraged to backup important personal data to alternate storage media before inactivation)

1.Inactivation after two consecutive years of non-enrollment in a course for credit students

2.Inactivation after two consecutive years of non-enrollment for non-credit students, or

3.Inactivation at the request of the student

  1. Affiliate Accounts: Individuals with a special relationship with CCC who are neither employed by, nor enrolled at CCC may be granted limited privileges commensurate with the nature of their special relationship. CCC reserves the right to discontinue these privileges at any time.
  1. Users shall protect their passwords and secure CCC Technological Resources against unauthorized use or access. Writing down passwords (even if stored out of public view), storing passwords in plain text in a computer file, and sharing passwords are a violation of this policy.
  2. Users shall not use their CCC provided authenticators, such as User ID/Password as their account login to personal accounts.
  3. Passwords used for CCC accounts shall be unique to CCC. Passwords used for 3rd party sites accessed in support of CCC missions shall employ passwords materially different than the password used for the user’s CCC account.
  4. Users shall not share or otherwise provide access to their CCC credentials to another individual. If extenuating circumstances require access to another user’s account than the ITS Department shall be contacted to provide alternate means of access. Exceptions for 3rd party sites not managed by the ITS Department shall be evaluated on a case-by-case basis.
  5. Users shall not use another user’s credentials for CCC Technological Resources or affiliated 3rd party resources nor shall a user attempt to capture, surveil, or guess another user’s credentials for CCC Technological Resources or affiliated 3rd party resources. This includes electronic and non-electronic means (i.e. “shoulder surfing”)
  6. Users shall not use their CCC credentials for personal purposes when creating personal accounts with 3rd party websites (such as Facebook, Netflix, or Twitter) or with cloud services, web applications, or internet resources not officially sanctioned by CCC’s ITS department which includes (but is not limited to) Gmail, Dropbox, LinkedIn, and Glassdoor. Usage may be sanctioned when access is required in the performance of assigned job duties.
  7. Users shall not share login information to 3rd party sites or services and each individual needing access to the 3rd party resource shall be provided a login specific to the individual. Where the previous is not possible, the access credential shall be stored using a repository that:
    1. is encrypted using industry standard encryption methods
    2. accessible only to authorized users
    3. logs the credential accessed, account used to access the credential, and the date and time of credential access
  8. A shared access credential shall be changed when any CCC staff that was granted access to the credential has their access revoked for any reason

Computing Devices

  1. Users shall secure and lock, or log off, all unattended devices
  2. Users shall take all reasonable precautions to protect laptops and mobile devices from theft
  3. Users shall not leave mobile devices that contain Controlled Sensitive Data unattended
  4. Users shall report the loss of mobile devices, or any other media containing Controlled Sensitive Data, immediately (or as soon as possible) to ITS or Campus Safety. This shall include personally owned devices if this device was used to access Controlled Sensitive Data CCC data, if an email application on the device was configured to automatically login to a CCC email account, or if the device was used as an authenticator for MFA.
  5. Users assigned a mobile device to support work-at-home initiatives shall ensure that the mobile device is available for regular security patching and policy updates
  6. User shall only access CCC Technological Resources that they are authorized to use
  7. Users shall only use CCC Technological Resources for their intended purpose and in support of authorized academic or administrative activities
  8. Incidental personal use of a CCC Technological Resource is acceptable provided that such use:
    1. complies with all other policies as set forth within this AUP
    2. incurs no additional cost or expense by CCC
    3. does not interfere with the performance or availability of CCC Technological Resources
  9. All incidental personal use of CCC Technological Resources shall be at the risk of the user and CCC shall not be responsible for loss of access, theft, public disclosure, or breach of data accessed for personal use.
  10. Users shall not physically remove CCC Technological Resources from CCC premises without written authorization from the ITS department. Except:
    1. Mobile devices, laptops, and other technologies provided to CCC Staff to support remote work initiatives, which may be removed from CCC premises provided that the Staff member has a completed Asset Form on file with ITS or the Business Office. The staff member shall only remove the device(s) specifically accounted for on asset form(s) bearing the user’s signature.
    2. Technological Resources documented as on loan from the ITS Department to the user removing the device
  11. Users shall be individually responsible for the appropriate use of their computer, account, or any other CCC Technological Resource assigned to them
  12. Upon separation, employees shall return all CCC Technological Resources in their possession to the ITS department
  13. CCC Technological Resources shall be surrendered to the ITS department upon request
  14. Users shall not use CCC Technological Resources for hosting unauthorized web content

Portable Storage Devices

  1. Use of portable storage devices, such as a USB “thumb drive”, is permitted
  2. Portable storage devices containing Controlled Sensitive Data shall:
  1. be clearly labeled
  2. be securely controlled at all times
  3. be encrypted if the device is transported via publicly accessible spaces
  4. not be connected to personally owned device (BYOD) or other systems not owned or operated by CCC
  5. be securely wiped before being repurposed for other data storage purposes. If the device cannot be securely wiped than it must be destroyed in a manner that will prevent data reconstruction.
  1. Users shall not connect any unknown portable storage device to any CCC Technological resource, if such device is found report the incident to the ITS department.

 

Network Access

  1. Users consent to programmatic evaluation of any computer or mobile device attached to CCC networks, including personally owned devices.
  2. Scanning of personally owned devices shall be conducted only the extent needed to determine if the device meets the cybersecurity requirements established by the ITS Security team. Scanning will collect data including (but not limited to) device platform, operating system version, and installed security patches.
  3. Scanning of personally owned devices shall not attempt to discover, read, or access personal information except for the purposes stated in item (2)
  4. Users shall not perform any unauthorized scanning or enumeration activities of CCC Technological Resources or personally owned devices connected to CCC’s networks
  5. CCC provides publicly accessible Wi-Fi for campus guests and visitors. The public Wi-Fi network is an open network and the user assumes all risk of use
  6. CCC staff shall not connect any device or technology to CCC’s wired networks unless specifically instructed to do so by ITS staff
  7. CCC staff shall not remove any device or technology from CCC’s wired networks unless specifically instructed to do so by ITS staff
  8. CCC staff shall not move or relocate CCC Technological Resources unless specifically instructed to do so by ITS staff. CCC Technological Resources deployed in support of Work-From-Home initiatives are exempted from this prohibition.

 

Electronic Communications

  1. Electronic communications systems are provided to CCC staff to support the academic and administrative missions of the college. Incidental personal use of these systems is permitted to the extent approved by CCC's board of directors. Personal communications shall comply with all applicable provisions of this Acceptable Use Policy.
  2. Electronic communication shall comply with all other communication-related policies, procedures, and standards set forth by the College.
  3. Electronic communications systems, including email, not officially provided by CCC shall be prohibited for the use of transmission, storage, or sharing of controlled sensitive data without express written consent of CCC's CIO/CISO.
  4. Staff shall not conduct official college business using an email address that is not managed by the ITS Department except for emergency and on-call situations
  5. All electronic communications using CCC’s Electronic communications systems shall be conducted lawfully, respectfully, and professionally
  6. Users shall not use CCC’s electronic communications systems to create or distribute inappropriate content
  7. No employee shall claim to represent the college using any electronic communication mechanism unless such communication is officially authorized
  8. Users shall not use CCC’s electronic communications systems in a manner that restricts or inhibits other users from using CCC Technological Resources, or in a manner that degrades the performance of CCC Technological Resources
  9. Email communications with students shall be conducted using the student’s CCC provided email address except when the student has not yet been provided access to the account or account access has been restricted/removed due to policy/security violations or expiration.
    1. If students initiate contact using a non-CCC email it is the responsibility of the recipient to redirect the communication to the CCC operated email platform.
  10. CCC shall not guarantee the delivery of any electronic communication if such communication is not conducted in support of authorized academic or administrative activities.
  11. Users shall use extreme caution when opening attachments or clicking links in email or text messages (or other electronic files) received from unknown senders.
  12. Email or other electronic communications suspected of containing malicious content or bearing malicious intent shall be reported to CCC’s ITS Security team
  13. Users shall not attempt to monitor, collect, or store communications data, including metadata and protocol data unit information, without authorization from CCC’s CIO/CISO
  14. Users shall not attempt to forge, or otherwise alter, email header information
  15. Users shall not attempt to alter the ‘sender from’ data of an email (aka spoofing) or otherwise alter a communication to make it appear as if someone other than the actual sender was responsible for the message
  16. Warnings and notifications of information security issues (i.e. business email compromise, virus/malware, policy violations) shall be sent only from authorized CCC email accounts.
  17. Mass mailings are discouraged for an individual's email accounts and enforcement is done using daily sending limits. Exceeding these limits will result in the responsible account from being barred from sending additional email.
    1. Restoration of email rights may occur automatically, but users are encouraged to contact the ITS Service Desk to ensure prompt resolution
  18. Email accounts specifically made for the purpose of mass mailings shall be used for mass mailing purposes whenever possible
  19. Third party services used to send email to internal and external recipients on the behalf of CCC shall be registered with ITS prior to use
  20. Do not “Reply All” to mass mailings

BYOD

  1. Use of BYOD is subject to all other CCC Policies
  2. Staff shall not store Controlled Sensitive Data on their personal devices
  3. CCC staff have access to the staff Wi-Fi network. Access to this network is controlled and shall require the user to authenticate using their CCC staff account. Use of this network may require the installation of certificates and/or software agents to the BYOD device. By using the staff network the user agrees to be bound by these terms.
  4. BYOD devices shall not be connected to CCC’s wired networks without prior authorization from CCC’s CIO/CISO. This prohibition includes attaching a personally owned device to a dock or port replication device that provides a wired connection to CCC’s wired network.
  5. Users connecting personally owned devices to CCC’s wireless networks shall ensure that the device is patched and free of malware and wireless devices are not rooted or jailbroken
  6. BYOD devices failing to comply with acceptable use policies, communicating with suspicious internet hosts, or otherwise suspected of introducing unreasonable security risk to CCC networks shall be removed from the network and banned from reconnecting. Where possible, ITS will attempt to notify the device owner about the disconnection and ban.

Classroom and Public Computer Access

  1. CCC provides public access computing in designated areas only. CCC staff use of these public computers is permitted provided that their use complies with CCC policy and any posted Rules for the area
  2. Users of public access computers must comply with all requests and instructions from the lab assistant, lab coordinator, CCC staff member designated as the Physical Security Steward, or ITS staff. Should users have an issue with any instruction, please request to speak to a supervisor.
  3. CCC staff shall yield access to publicly accessible computers to students
  4. Users shall not use publicly accessible computers to access Controlled Sensitive Data
  5. Storage devices containing Controlled Sensitive Data shall not be connected to publicly accessible computers

 

 

Network monitoring

  1. Employees shall have no expectation of privacy in anything they store, send, or receive using CCC Technological Resources
  2. All data stored on CCC Technological Resources is public record under Oregon Law and subject to disclosure to 3rd parties unless disclosure is expressly exempted or made confidential by law.
  3. Users shall have no expectation of privacy when using CCC Electronic Communication Systems. CCC Electronic Communications Systems digital content is College record, which may be disclosed under the Oregon Public Records Law, by subpoena, or to conduct College business. 
  4. Electronic Communication Systems owned and operated by CCC are monitored to the extent allowed by law for purposes of maintaining properly functioning systems and prevention of malicious activities. Data collected from these systems shall be disclosed to CCC employees with responsibilities for operating CCC's Electronic Communications Systems and prevention of malicious activity. Data shall be disclosed to appropriate authorities as required by state and/or federal laws.

 

Copyright

  1. Users of CCC Technological Resources shall not violate the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property laws/regulations. This prohibition includes (but is not limited to) the installation or distribution of “pirated” or other software products that are not licensed for use by CCC.
  2. Users shall abide by the terms of any licenses, contracts, or agreement into which they or the College have entered regarding the use of intellectual property

 

Data Access and Control

  1. Transfer of Controlled Sensitive Data shall be conducted only via ITS approved methods
  2. Users shall access, use, or share Controlled Sensitive Data only to the extent authorized for their specific usage
  3. Users shall report the theft, loss, or unauthorized disclosure of Controlled Sensitive Data immediately (or as soon as possible) to the ITS department or Campus Safety
  4. Controlled Sensitive Data shall not be created, stored, or transferred using Technological Resources that are not owned or managed by CCC. CCC retains ownership of all such data in the event of violation of this policy regardless of whether such violation was intentional or unintentional.
  5. User-created digital content that includes CCC branding must conform to College content and communication policies and standards (in alignment with Marketing department policy).
  6. Where CCC trademarks, logos, etc. are used, users shall use approved graphics provided by the CCC Marketing Department (“Brand Toolbox” on the CCC staff portal)
  7. All CCC owned and managed data shall be reviewed prior to publication or otherwise being made publicly available
  8. Users shall not publish Controlled Sensitive Data

 

 

3rd Party Software and Cloud platforms

  1. Users shall comply with contractual and license agreements between CCC and 3rd parties when using CCC Technological Resources
  2. Users shall abide by the terms of any licenses, contracts, or agreements into which they or the College have entered regarding the use of intellectual property
  3. Controlled Sensitive Data shall not be stored, transmitted, or processed by 3rd party sites or services unless approved for the specific use.
  4. 3rd party sites and services shall only be used to the extent approved for supporting CCC’s missions

 

 

Glossary