800 Information Technology/Computer Usage

Acceptable UseThis term consists of these related concepts:

• Information/data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the information and systems for personal gain, personal business, or for any activity which violates a law is prohibited.
• Information not classified as public must be protected, and must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Authentication

Proving that devices or persons are who they say they are. The most common form of authentication is a user-id and password. The computer or electronic device must be capable of providing authentication.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Authorized User

Individual or entity permitted to make use of College computer or network resources. Authorized users include students, staff, faculty, alumni, sponsored affiliates, and other individuals who have an association with the College that grants them access to college IT resources.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

College Electronic Data

Digital information that was created by or for the College or for which the College has a custodial responsibility.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Data Custodian

Representatives of the College who are assigned responsibility to serve as stewards of College data. They are responsible for developing procedures for creating, maintaining, and using college data, in compliance with applicable policies, procedures, and laws.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Data Owner

The principal supervisor responsible for ensuring proper management of the data over its lifetime.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Information Technology Resources

Facilities, technologies, and information resources used for information processing, transfer, storage, and communications. Examples include but not limited to computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones, voice mail, fax transmissions, video, multimedia, instructional materials.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Restricted Data

Data that does not fall within the definition of "public" data as defined by the Family Educational Rights and Privacy Act (FERPA) or College policies.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Security Incident

Intentional or accidental occurrence affecting information or related technology in which there is a potential loss of data confidentiality or integrity, or disruption of service.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Security Log

Events captured by the operating system or other software that are outside of established parameters. Examples include, but are not limited to, multiple log-on attempts within a short time period or attempted access of a protected file.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Security Measures

Processes, software, and hardware used by system and network administrators to ensure the confidentiality, integrity, and availability of the IT resources and data owned by the College and its authorized users. Security measures may include reviewing files for potential or actual policy violations and investigating security-related issues.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Rights and Responsibilities - The Computer User

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Access is granted to information technology (IT) resources in order to facilitate academic and administrative job activities. Those using IT resources agree to abide by federal and state laws, and college policies and procedures, including those related to harassment, plagiarism, commercial use, security, unethical conduct, theft, copyright and licensing infringement, unlawful intrusions, data privacy, and accessing pornography.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Users are responsible for:

• reviewing, understanding, and complying with all policies and procedures related to access, acceptable use, and security of information technology resources;
• asking systems administrators or data custodians for clarification on access and acceptable use issues not specifically addressed in policies and procedures; and
• immediately reporting possible policy violations to one of the following people:
  • Director of Network Computing
  • Director of Administrative Computing
  • Associate V.P. of Technology and Online Learning
  • V.P. for Human Resources

When guests are granted access to IT resources they must abide by these policies and procedures.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Liability for Personal Communications

Computer users are responsible for the content of their personal communications. The College accepts no responsibility or liability for personal or unauthorized use of its resources by users.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Privacy and Security Awareness

Users should be aware that although the College takes reasonable security measures to protect the security of its computing resources and accounts assigned to individuals, the College does not guarantee absolute security and privacy. Users should follow the appropriate security procedures listed in this document to assist in keeping systems and accounts secure.

The College assigns responsibility for protecting its resources and data to systems administrators and data custodians, who treat the contents of individually-assigned accounts and personal communications as private, and do not examine or disclose the contents except:

• as required for system maintenance including security measures;
• when there exists reason to believe an individual is violating the law or college policy.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Consequences of Violations

If, in the course of an investigation, it appears necessary to protect the integrity, security, or continued operation of its computers and networks, or to protect itself from liability, the College may temporarily deny access to its IT resources. Inappropriate use of IT resources may result in disciplinary action and contact of applicable law enforcement agencies.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

The College owns all official college data that resides on its systems and networks, and is responsible for taking necessary measures to ensure the security of its systems, data, and users’ accounts. The College does not seek out personal misuse. However, when it becomes aware of violations, either through routine system administration activities or from a complaint, the College investigates as appropriate, and takes necessary actions to protect resources and to provide information relevant to an investigation. Access to individual computer content requires approval of the College President or designee.

Content Owner: Human Resources

Login IDs are a unique combination of username and password granted to individuals for their use only. Whenever there is reason to believe that a login ID has been compromised, a System/Network Administrator should be contacted immediately.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

All users must log out or lock PC before leaving the area.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

Hard copy data obtained from the student information and administrative systems must be carefully protected, especially those which contain restricted data. Provisions must be made for secure disposal by shredding.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

Users may access only accounts, files, and data that are publicly available or to which they have been given authorized access. It is the responsibility of all users to secure information that is in their possession.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

The administrative data center and network wire closets are restricted to authorized personnel.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

Use of the College’s network resources is subject to the Acceptable Use Policy of our Internet provider, MoreNET. It can be found at the following URL: http://www.more.net/content/service-policies.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2008

Data owners are responsible for determining what information is appropriate for distribution, the audience for distribution, and the methods and timing of distribution.

Content Owner: Human Resources

Data owners must ensure that the information distributed is in compliance with any regulatory requirements as defined in the Family Educational Rights and Privacy Act (FERPA) and College Board Policies and Procedures. The distribution methods or non-system data storage (i.e., paper, or any portable data storage device) must provide adequate security over the information contained on the particular media.

Content Owner: Human Resources

Data owners must ensure that all individuals with access to information are aware of the confidential nature of the information and the disclosure limitations that apply. Unauthorized release of restricted information may result in disciplinary action up to and including dismissal from the College.Examples of restricted data include:

• Social security number
• Home phone number
• Home address
• Health information
• Academic Records
• Location of assets
• Anonymous donors
• Gender
• Ethnicity
• Citizenship
• Citizen visa code
• Veteran and disability status
• Library patron usage history
• Credit card numbers
• Protected vendor documentation

See also Board Policy 583.0 – Release of Student Information.

Content Owner: Human Resources

Password protection applies to all electronic devices and systems connected to the College network including computers, network switches and routers, personal digital assistant devices, laptop computers, and password authenticated software.

Content Owner: Human Resources

Passwords are used on the College’s devices and systems to facilitate authentication. The security of information is highly dependent upon the confidentiality and characteristics of passwords. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of private data.

Content Owner: Human Resources

Password Guidelines

A password must be used for all devices and software requiring authentication. Passwords must be periodically changed as required by each system.

Content Owner: Human Resources

College e-mail, computers, and networks may be used only for legal, authorized purposes. Occasional, brief personal use is permitted. Unauthorized or illegal uses include but are not limited to:

• Use that violates any federal or state law;
• Unauthorized access to files or computer resources (including remote computer systems);
• Copying, revising, damaging, removing, or distributing programs or data, or any other user’s programs or data without the express permission of the owner;
• Activities that disrupt normal computer/network use and services including, but not limited to:
  • Propagation of computer viruses
  • Sending chain letters or unauthorized mass e-mails
  • Unnecessary printing or other network traffic
• Damaging or altering college computer equipment or supplies;
• Use that is harmful or harassing to other users;
• Introduction of any unacceptable information onto the administrative or academic systems and applications. Unacceptable types of information include:Information that infringes on the rights of others
  • Information that is abusive, profane, or sexually offensive
  • Information that may injure another or lead to a lawsuit; such as pirated software, destructive software (including computer viruses), pornography, libelous statements, unauthorized copies of licensed software, or copyrighted media files
  • Advertisements for commercial enterprises.
  • Software programs not approved by a director of IT.
• Use of college computing resources for personal or monetary gain;
• Access to the College’s network resources via any unauthorized device;
• Violation of regulations as stipulated in the Family Educational Rights and Privacy Act (FERPA) and College Board Policies and Procedures.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Software must only be installed by authorized IT staff.

Content Owner: Human Resources
Issued: 07/2007
Revised: 04/2010

Any incidents of concern, including but not limited to the following examples, should be reported immediately to the IT Department:

• An electronic device containing college information is lost or stolen.
• An employee uses access to restricted data for reasons unrelated to the job.
• A secure area that houses network devices is left unattended and unlocked.
• Network security is breached by a virus or unauthorized user.

Content Owner: Human Resources

To preserve Internet access and campus network capacity for core mission applications, the IT Department will manage the data network bandwidth (a limited amount that is purchased yearly) and prevent any one application from monopolizing this limited and valuable resource.

Content Owner: Human Resources

The College’s bandwidth resources will be apportioned according to need, and greater consideration will be given to those applications which are considered at the core of the College’s mission. The IT Department will approve any rate limits.

Content Owner: Human Resources

All wireless network infrastructure located on the campus must be approved and managed by the College’s IT Department.

Content Owner: Human Resources

The wireless network infrastructure is intended to compliment the wired infrastructure. Where possible, the use of a wired connection is preferred because it is faster, and it does not compete with wireless users for bandwidth.

Content Owner: Human Resources

The College’s wireless network utilizes the 2.4GHz and the 5.8 GHz radio frequency spectrum. The College reserves the right to disconnect or remove any device that interferes with the wireless infrastructure.

Content Owner: Human Resources

Privately-owned computers are those devices which are neither owned by the college, nor administered by the IT staff. The use of these computers is allowed to the extent that the following criteria are met:

• Must not be used to store or access legally-protected data
• Use established and documented methods to connect to the College’s network
• Connection to the College’s network is only by way of designated points, those points being either a college-maintained wireless access point or a pre-arranged wired network jack
• They contain an up-to-date anti-virus solution and the highest level of operating system patches available

Content Owner: Human Resources

The department or individual directly responsible for restricted data on a college computer or other electronic device is required to ensure that any restricted information on that device is securely removed before sale or transfer. Examples of such sales and transfers are: transfer to another department; public sale; donation; or scrapping. Such computers must be electronically cleared using a secure data deletion program or the physical media must be destroyed. Tapes, CDs, cartridges and other storage and backup media containing non-public information must also be securely deleted or destroyed before disposal or transfer.
Since it is possible that even systems not perceived as containing important information can have remnants from previous activity, it is recommended that all systems and media being transferred to another department or another type of use be electronically cleared. IT staff will provide assistance.

In addition to the departmental staff who are responsible for non-public data on electronic systems, staff involved in any transfers of equipment through sales, recycling, donations, or scrapping must be certain that data and licensed software has been removed.

In advance of destruction of records refer to Board Policy 586.0 – Document Retention and Destruction.

Content Owner: Human Resources

Authorized senders

College employees who may send a broadcast e-mail to students or approve a large target group. This would include the College President, Vice Presidents, Deans, Directors, the Student Activities Coordinator, or any of their designees.

Content Owner: Marketing and Student Life
Revised: 01/2015

Broadcast e-mail

An e-mail sent to all students. This would include a regularly published electronic newsletter compiled and sent by the Marketing and Communications (MAC) Department, as well as separate broadcast e-mails such as urgent notifications.

Content Owner: Marketing and Student Life
Revised: 01/2015

Content creator

Anyone who creates a broadcast or targeted e-mail. Content creators can initiate and create e-mails but may not necessarily send them.

Content Owner: Marketing and Student Life
Revised: 01/2015

Institutional Messages

Those messages that would appear to the recipient as having come from the college as an entity, rather than from an individual sender. Some examples are:

• The broadcast Electronic Newsletter
  • Academic program and course information and announcements.
  • Notices and deadlines related to registration, financial aid, library, academic counseling, bookstore, child center, and other campus services.
  • Student organization activities and events.
  • “People in the news” and campus highlights.
  • Cultural arts events and other calendar items.
  • Policies and procedures of the college.
• Notification of campus network outages and other computer-related matters.
• Emergency notices and urgent messages, including class/event cancellations, weather advisories, and health and safety alerts.

Content Owner: Marketing and Student Life
Revised: 01/2015

Moderator

Designated person who reviews e-mails generated by content creators if there is a question regarding content.

Content Owner: Marketing and Student Life
Revised: 01/2015

Targeted broadcast e-mail

An e-mail with a message intended for a target student group; for instance, students who have missed a tuition payment deadline.

Content Owner: Marketing and Student Life
Revised: 01/2015

Target group

A subset of students who have stchas.edu e-mail addresses designated to receive a targeted e-mail. Group lists will be created by the IT Department from addresses or criteria provided by an authorized sender or designee (excluding class rosters). A list of 40 or more recipients requires the approval of an authorized sender.

Content Owner: Marketing and Student Life
Revised: 01/2015

• E-communication to students should be clear, concise, accurate, and reflect positively on the college. To ensure the quality and appropriateness of the message, the Marketing and Communications (MAC) Department will review and approve all broadcast and targeted e-mails before they are sent to students.
• Any e-mail that is sent to two or more students is required to have the recipients’ email addresses entered in the “BCC:” section only, to protect the addresses from being viewed by other recipients.
• It is recommended that faculty use the course management system (WebCT) as their primary means of e-communication with students enrolled in their classes.

Step 1: Content creator writes e-mail message. Some departments may require supervisor approval before further distribution.

Step 2: If there is a question concerning content, the message should be sent to a moderator for review.

Step 3: Content creator sends message to MAC Department for review and either (a) inclusion in Electronic Newsletter, (b) immediate distribution by MAC Dept., or, (c) return of proposed e-mail to content creator, who will send or forward for distribution.

Step 4: MAC will automatically be copied on all broadcast e-mails that are sent.

Content Owner: Human Resources

Step 1: Anyone wishing to create a targeted e-mail group must first submit a Target Group Request form to the IT Department.

Step 2: Content creator writes e-mail. Some departments may require supervisor approval before further distribution.

Step 3: If there is a question concerning content, the message should be sent to a moderator for review.

Step 4: If sending to a group of more than 40 recipients, content creator sends e-mail message to the MAC Department for review.

Step 5: If the message was sent for review, MAC Department returns the message.

Step 6: Content creator will send the e-mail message or forward for distribution.

Step 7: MAC will automatically be copied on all targeted broadcast e-mails that are sent. E-mails sent by faculty members to students enrolled in their classes do not fall under “targeted broadcast e-mails” category.

Content Owner: Human Resources

Examples of inappropriate computer include, but are not limited to:The creation and exchange of messages that are offensive, harassing, obscene, or threatening.

• The exchange of confidential information to persons without a need to know.
• The creation or exchange of advertisements, solicitations, chain letters, or other spam.
• The use of e-mail for commercial purposes.
• The creation, storage, or exchange of information in violation of copyright laws.
• Reading or sending messages from another person’s account without authorization.
• Intentional distribution of computer viruses.

Content Owner: Human Resources