ITS Security Policy 200a – AUP (Acceptable Use Policies) Use of IT Resources for non-Students

Summary

This policy outlines guidelines for the responsible use of CCC Technological Resources, ensuring compliance with laws, protecting sensitive data, and maintaining resource security and accessibility. It applies to all staff and provides detailed regulations on general use, accounts, computing devices, network access, electronic communications, and data management, with violations subject to disciplinary action.

Body

Status: Final
Last Revision Date: May 20, 2025

Statement of Purpose

The purpose of the Clackamas Community College (CCC) Acceptable Use Policy (AUP) is to establish acceptable practices regarding the use of CCC Technological Resources. This policy is designed to meet current regulatory requirements, protect sensitive information, and ensure the security and integrity of CCC's IT infrastructure while supporting the academic and administrative missions of the college.

Policy Summary

This AUP establishes guidelines for the proper use of CCC Technological Resources by all non-student users. The policy aims to:

  • Ensure CCC operates in compliance with state and federal laws and regulations, including FERPA, HIPAA, PCI DSS, and Oregon public records law.

  • Protect Controlled Sensitive Data from unauthorized disclosure, ensuring compliance with the 2025 NIST Privacy Framework and Cybersecurity Framework 2.0.

  • Maintain the security, trustworthiness, and integrity of CCC's technological infrastructure.

  • Define responsibilities for users regarding the use of CCC Technological Resources.

  • Support the efficient operation of CCC's technological environment for authorized academic and administrative activities.

This AUP applies to all entities (hereafter referred to as "staff") that provide services for CCC whether paid or unpaid; inclusive of full-time and part-time classified employees, full-time faculty, associate faculty, unpaid instructors, volunteers, Federal Work Study employees, students in Cooperative Work Experience (CWE) programs, student government officers, tutors, interns, administrative staff, temporary employees and/or staff hired via a staffing agency, and partner organizations that provide community services using the Technological Resources owned and managed by CCC.

Compliance with this AUP is mandatory when using CCC Technological Resources and/or when performing services on behalf of CCC. Failure to comply may result in disciplinary action per applicable contract/employee agreement and, depending on the violation, may lead to legal consequences.

Policy

1. General Use

1.1 Basic Requirements

  • The use of CCC Technological Resources shall comply with applicable laws, regulations, and policies.

  • Users shall respect the privacy of other individuals, including others' digital content.

  • Users shall not intentionally disrupt the computing environment or obstruct the work of other users.

  • Users shall not interfere with authorized user access to CCC Technological Resources.

  • Users shall not deny service to any other authorized user of CCC Technological Resources.

  • Users shall not circumvent authentication mechanisms or security controls.

  • Users shall not engage in malicious behavior.

1.2 Prohibited Activities

  • Users shall not intentionally introduce malicious software into the network or cause security breaches or disruptions of network communications.

  • Users shall not install hardware devices or develop, download, and/or use software or other methods with the intent to gain unauthorized access to CCC Technological Resources.

  • Users shall not participate in illegal or unauthorized peer-to-peer file sharing (e.g., Torrent).

  • Users shall not engage in any "Dark Web" activities, including hosting (e.g., Onion routers) and browsing (e.g., TOR browser).

  • Users shall not use CCC Technological Resources for crypto mining (e.g., Bitcoin mining).

  • CCC Technological Resources shall not be used for commercial or non-CCC academic or administrative purposes unless specifically authorized by other College policies or by the College President.

  • CCC Technological Resources shall not be used for the endorsement of any political candidate or ballot initiative unless specifically authorized by other College policies or by the College President.

1.3 Reporting Violations

  • Users observing policy violations shall report the activity to their immediate supervisor unless the supervisor is responsible for the violation. In this instance, users shall report the violation to the CIO/CISO.

  • If the violation poses an immediate risk to Controlled Sensitive Data, users shall contact the ITS Department or College Safety immediately.

  • Security incidents must be reported within 72 hours, as required by 2025 cybersecurity regulations.

2. Accounts and Authentication

2.1 Credentials and Authentication

  • For the purposes of this section, credentials shall include any data used to authenticate the identity of an individual, including usernames, passwords, PIN numbers, access cards, MFA tokens, biometric data, and digital certificates.

  • Multifactor authentication (MFA) is required for all accounts accessing CCC systems containing Controlled Sensitive Data, in compliance with 2025 cybersecurity standards.

2.2 Provisioning and Terms of Use

  • CCC credentials and accounts are provided at the discretion of CCC and subject to the following terms of use:

    • CCC has a legal obligation to access and provide any data stored on CCC systems requested as part of litigation (eDiscovery).

    • Authorized personnel may inspect any data transmitted or stored using CCC Technological Resources.

    • Upon separation, all user credentials shall be disabled, and users shall no longer have access to CCC resources.

2.3 Provisioning by User Type

  • Employee Accounts: Access to CCC Technological Resources is provided only while the user is employed by CCC.

  • Affiliate Accounts: Individuals with a special relationship with CCC who are neither employed by nor enrolled at CCC may be granted limited privileges commensurate with the nature of their special relationship. CCC reserves the right to discontinue these privileges at any time.

2.4 Password and Credential Security

  • Users shall protect their passwords and secure CCC Technological Resources against unauthorized use or access.

  • Users shall not use their CCC-provided authenticators as a login to personal accounts.

  • Passwords used for CCC accounts shall be unique to CCC and meet current complexity requirements as defined by the ITS department.

  • Users shall not share or otherwise provide access to their CCC credentials to another individual.

  • Users shall not use another user's credentials or attempt to capture, surveil, or guess another user's credentials.

  • Users shall not use their CCC credentials for personal purposes with third-party websites or services.

  • Shared credentials must be stored in an approved encrypted repository that logs all access and must be changed when any staff member's access is revoked.

3. Device Security and Management

3.1 Computing Devices

  • Users shall secure and lock, or log off, all unattended devices.

  • Users shall take all reasonable precautions to protect laptops and mobile devices from theft.

  • Users shall not leave mobile devices that contain Controlled Sensitive Data unattended.

  • Users shall report the loss of mobile devices containing Controlled Sensitive Data immediately to ITS or Campus Safety.

  • All devices connected to CCC networks must have current security patches and anti-malware protection.

  • Users assigned a mobile device shall ensure that the device is available for regular security patching and policy updates.

3.2 Use of CCC Technological Resources

  • Users shall only access CCC Technological Resources that they are authorized to use.

  • Users shall only use CCC Technological Resources for their intended purpose and in support of authorized activities.

  • Incidental personal use is acceptable provided that such use:

    • Complies with all other policies in this AUP.

    • Incurs no additional cost or expense by CCC.

    • Does not interfere with the performance or availability of CCC Technological Resources.

  • All personal use of CCC Technological Resources shall be at the risk of the user, and CCC shall not be responsible for any loss or breach of personal data.

3.3 Physical Control of Technological Resources

  • Users shall not physically remove CCC Technological Resources from CCC premises without authorization, except:

    • Mobile devices provided for remote work with a completed Asset Form on file.

    • Resources documented as on loan from the ITS Department.

  • Users shall be individually responsible for the appropriate use of their computer, account, or any other CCC Technological Resource assigned to them.

  • Upon separation, employees shall return all CCC Technological Resources in their possession to the ITS department.

3.4 Technology Asset Inventory and Network Map

  • The ITS department will maintain a comprehensive technology asset inventory and network map illustrating the movement of electronic protected information through systems, as required by 2025 cybersecurity standards.

  • This inventory and map will be reviewed at least every 12 months.

4. Data Protection and Storage

4.1 Portable Storage Devices

  • Use of portable storage devices is permitted with restrictions.

  • Portable storage devices containing Controlled Sensitive Data shall:

    • Be clearly labeled.

    • Be securely controlled at all times.

    • Be encrypted using approved methods that meet 2025 standards.

    • Not be connected to personally owned devices or non-CCC systems.

    • Be securely wiped before repurposing or destroyed if secure wiping is not possible.

  • Users shall not connect unknown or suspicious portable storage devices to any CCC Technological Resource.

4.2 Data Access and Control

  • All electronic Protected Health Information (ePHI) and Controlled Sensitive Data must be encrypted at rest and in transit per 2025 HIPAA requirements.

  • Transfer of Controlled Sensitive Data shall be conducted only via ITS-approved methods.

  • Users shall access, use, or share Controlled Sensitive Data only to the extent authorized for their specific usage.

  • Users shall report the theft, loss, or unauthorized disclosure of Controlled Sensitive Data immediately to the ITS department or Campus Safety.

  • Controlled Sensitive Data shall not be created, stored, or transferred using resources not owned or managed by CCC.

4.3 Data Management

  • User-created digital content that includes CCC branding must conform to College content and communication policies.

  • All CCC-owned and -managed data shall be reviewed prior to publication or being made publicly available.

  • Users shall not publish Controlled Sensitive Data.

  • Network segmentation must be implemented to isolate systems containing sensitive data, per 2025 cybersecurity requirements.

5. Network Access and Security

5.1 Device Evaluation

  • Users consent to programmatic evaluation of any computer or mobile device attached to CCC networks, including personally owned devices.

  • Scanning of personally owned devices shall be conducted only to determine if the device meets cybersecurity requirements.

  • Vulnerability scans must be conducted at least every six months per 2025 security standards.

  • Users shall not perform unauthorized scanning or enumeration activities on CCC networks.

5.2 Network Access

  • CCC provides publicly accessible Wi-Fi for campus guests and visitors. The public Wi-Fi network is an open network, and the user assumes all risk of use.

  • CCC staff shall not connect any device to CCC's wired networks unless authorized by ITS staff.

  • CCC staff shall not remove any device from CCC's wired networks unless authorized by ITS staff.

  • CCC staff shall not move or relocate CCC Technological Resources unless authorized by ITS staff.

5.3 Security Measures and Testing

  • Security measures must be reviewed and tested at least every 12 months in compliance with 2025 standards.

  • A formal risk assessment must be conducted annually that includes review of the technology asset inventory, network map, and assessment of threat/vulnerability risk levels.

  • An internal HIPAA Security Rule compliance audit must be conducted at least annually for applicable systems.

6. Electronic Communications

6.1 General Requirements

  • Electronic communications systems are provided to support the academic and administrative missions of the college.

  • Incidental personal use is permitted to the extent approved by CCC's board of directors.

  • Electronic communication shall comply with all College policies, procedures, and standards.

  • Electronic communications systems not officially provided by CCC shall not be used for Controlled Sensitive Data without express written consent of CCC's CIO/CISO.

6.2 Email Use

  • Staff shall not conduct official college business using non-CCC email addresses except in emergency situations.

  • All communications using CCC's systems shall be conducted lawfully, respectfully, and professionally.

  • Users shall not claim to represent the college unless officially authorized.

  • Email communications with students shall be conducted using the student's CCC-provided email address, except in limited circumstances.

  • If students initiate contact using a non-CCC email, recipients should redirect communication to the CCC-operated email platform.

6.3 Email Security

  • Users shall exercise caution when opening attachments or clicking links in emails from unknown senders.

  • Suspected malicious communications shall be reported to CCC's ITS Security team.

  • Users shall not attempt to forge email headers or spoof sender information.

  • Warnings about information security issues shall be sent only from authorized CCC email accounts.

  • Mass mailings should use accounts specifically intended for that purpose.

  • Third-party services used to send email on behalf of CCC must be registered with ITS prior to use.

7. BYOD (Bring Your Own Device)

7.1 Personal Device Use

  • Personal devices are subject to all CCC policies.

  • Staff shall not store Controlled Sensitive Data on personal devices.

  • Access to the staff Wi-Fi network requires authentication and may require installation of certificates or software agents.

  • Personal devices must not be connected to CCC's wired networks without authorization from CCC's CIO/CISO.

7.2 Device Security Requirements

  • Personal devices must be patched and free of malware to connect to CCC networks.

  • Wireless devices must not be rooted or jailbroken.

  • Devices failing to comply with policies may be removed from the network and banned.

  • For e-commerce environments and payment processing, additional security controls are required to comply with PCI DSS requirements effective March 31, 2025.

8. Public Computing Resources

8.1 Public Computer Access

  • CCC provides public access computing in designated areas only.

  • Staff use of public computers must comply with CCC policy and posted rules.

  • Users must comply with all instructions from authorized personnel.

  • CCC staff shall yield access to publicly accessible computers to students.

8.2 Restrictions on Public Computers

  • Public computers shall not be used to access Controlled Sensitive Data.

  • Storage devices containing Controlled Sensitive Data shall not be connected to public computers.

9. Monitoring and Privacy

9.1 Privacy Expectations

  • Employees shall have no expectation of privacy when using CCC Technological Resources.

  • All data stored on CCC Technological Resources is a public record under Oregon law and subject to disclosure unless exempted by law.

  • Electronic communications are college records that may be disclosed under the Oregon Public Records Law, by subpoena, or to conduct college business.

9.2 System Monitoring

  • Electronic Communication Systems are monitored to maintain functionality and prevent malicious activities.

  • Data collected from monitoring may be disclosed to ITS staff and appropriate authorities as required by law.

  • Data monitoring practices comply with the 2025 NIST Privacy Framework to balance security needs with privacy protections.

10. Intellectual Property and Copyright

10.1 Copyright Compliance

  • Users shall not violate intellectual property rights protected by copyright, trade secret, patent, or other laws.

  • This prohibition includes installing or distributing "pirated" software products.

10.2 License Compliance

  • Users shall abide by the terms of all licenses, contracts, or agreements regarding intellectual property.

  • Software usage must comply with all licensing terms.

11. Third-Party Services and Cloud Platforms

11.1 General Requirements

  • Users shall comply with contractual and license agreements between CCC and third parties.

  • Third-party sites and services shall only be used to the extent approved for supporting CCC's missions.

11.2 Data Security with Third Parties

  • Controlled Sensitive Data shall not be stored, transmitted, or processed by third-party sites or services unless approved for the specific use.

  • Security measures implemented by business associates must be verified annually per 2025 HIPAA requirements.

  • Payment page scripts must be properly authorized, checked for integrity, and monitored for tampering in e-commerce environments per 2025 PCI DSS requirements.

12. Incident Response and Contingency Planning

12.1 Security Incident Response

  • All security incidents must be immediately reported to the ITS department.

  • CCC has implemented a formal security incident response plan that complies with 2025 HIPAA and NIST guidelines.

  • Systems and data must be restored within 72 hours following a cybersecurity incident, with restoration priority according to criticality.

12.2 Business Continuity

  • Contingency planning for critical systems is required to maintain educational and administrative functions.

  • Regular backup and recovery testing must be performed to ensure data availability.

Exemptions

None. All staff must comply with this policy in its entirety.

Exceptions

Exceptions to this policy may be granted only in extraordinary circumstances and must be approved in writing by the CIO/CISO. Requests for exceptions must include:

  • Specific policy provision(s) for which the exception is requested

  • Business justification for the exception

  • Risk assessment and mitigation measures

  • Duration of the requested exception

Exceptions are temporary and subject to review at the discretion of the CIO/CISO.

Details

Details

Article ID: 153391
Created
Tue 8/1/23 5:50 PM
Modified
Wed 5/21/25 4:47 PM