Information Technology – Acceptable Usage

Administrative Procedure 7.101

Overview

The intent of publishing this Information Technology - Acceptable Usage Administrative Procedure is to protect Elgin Community College’s established shared values within its technological environment. To uphold these values we are committed to protecting our employees and students from illegal and damaging actions by individuals, either knowingly or unknowingly. Elgin Community College’s (hereinafter termed “College”) technological environment is the property of the College. Securing this technological environment is a team effort involving the participation and support of every Client who accesses the College’s technological environment. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

Purpose

The purpose of this Administrative Procedure is to outline the acceptable use of technology at Elgin Community College in order to protect its employees, its students and its data. It is our intent to gain maximum benefit from our technological environment within the framework of the College’s mission, goals and values. Inappropriate use exposes the College, its employees, its students and its data to malicious acts including but not limited to viruses, malware, compromised data and systems, and legal issues.

Scope

This Administrative Procedure applies to Elgin Community College employees, student workers, and any contractors, vendors, freelancers, or other agents who utilize the College’s or personally-owned computers to access the College’s technological environment. This Administrative Procedure applies to all equipment that is owned or leased by Elgin Community College as well as personally owned devices that contain College Confidential and Sensitive Information (CSI) related to College business.

Definitions of Terms Referenced

  1. Clients: any Elgin Community College employee, student worker, contractor, vendor, freelancer or other agent who utilizes the College’s or personally-owned device to access the College’s technological environment
  2. College: Elgin Community College
  3. Demilitarized zone (DMZ): an area of an organization’s network, with limited access to the internal network, which contains resources accessible to the public (i.e. an organization’s web server, a web mail server)
  4. Electronically stored information: (hereinafter termed “ESI”) refers to any type of information that is stored electronically
  5. Internet: the worldwide computer network available through any Internet Service Provider (ISP) through which one can search for information, send electronic mail (e-mail), etc.
  6. Intranet/accessECC Portal: an internal information network available only through devices internal to the College or with proper authentication. .
  7. Malware: a general term for any malicious software that interferes with a device’s intended function by secretly gathering information about the user or organization and sending the personal data to unauthorized parties over the Internet (i.e. Trojans, spyware). Malware may allow unauthorized parties full or partial control over a device’s operation to conduct malicious activities without the user’s knowledge.
  8. Technological environment: all computer hardware (cables, computers, servers, storage media, printers, wireless access points, etc), software, resources within the College’s internal network, external web servers, web mail servers, and public network (Internet access, network accounts, e-mail addresses) and all data transferred within these interconnected devices within College facilities for the purpose of storage, retrieval and sharing of electronic information.

Network Resource Usage – Internet, E-mail & Other ESI

Access to and use of the College’s technological environment is provided to employees, students and other Clients of Elgin Community College for the purpose of advancing the goals of the College. This access imposes certain responsibilities and obligations on employees and other Clients accessing the College’s technological environment and is subject to College policies and local, state and federal laws.

All data, e-mail, e-mail attachments, documents and other electronically stored information (ESI) within the network/e-mail system are the property of Elgin Community College. While the College's Information Technology staff desires to provide a reasonable level of privacy, users should be aware that we cannot guarantee the confidentiality of information stored on any network device belonging to the College. The College, acting through Information Technology, managers and supervisors, has the capability and the right to view data and e-mail at any time when deemed necessary for business purposes. This Administrative Procedure does not supersede any state or federal laws regarding privacy, confidentiality and appropriate use.

Information Technology currently backs up data that is located on servers, network file shares, and within individual users’ “My Documents” folders. Data stored on local drives (c:, d:, or other removable media) as well as on the users’ desktop are not currently backed-up. Files in these locations are not recoverable if there is an incident.

Acceptable use is defined as that which is lawful, ethical, and reflects honesty and respect for others. Clients may be subject to limitations on their use of the technological environment as determined by the appropriate supervising authority.

In addition, archival and backup copies of ESI may exist despite end-user deletion. The goals of these backup and archiving procedures are to ensure system reliability, prevent business data loss, meet regulatory and litigation needs, and to provide business intelligence.

Backup copies exist primarily to restore service in case of failure. Archival copies are designed for quick and accurate access by company delegates for a variety of management and legal needs. See Administrative Procedure Records Retention and Disposal 3.102.

Securing Our Electronically Stored Information

  1. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. User level passwords should be changed every 180 days and should comply with Administrative Procedure Password Policy 7.102.
  2. All applications, desktops, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 15 minutes and by either locking the device or logging-off when the device will be unattended, whichever is appropriate.
  3. Prior to the installation of any software, expressed written approval must be given by ECC Information Technology personnel. Once written approval has been given, the installation must be conducted by ECC Information Technology personnel and a Help Desk ticket must be logged.
  4. Information contained on portable computers is especially vulnerable, and therefore special care should be exercised.
  5. All devices used by the employee or student that are connected to Elgin Community College resources shall be continually executing approved virus-scanning software with a current virus database.
  6. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

Unacceptable Usage of the College’s Technological Environment

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to run network monitoring tools to ensure smooth network operation and security scanners to ensure vulnerabilities are remediated). Under no circumstances is an employee of Elgin Community College authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Elgin Community College-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

The following activities are prohibited:

  1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use in Elgin Community College’s technological environment.
  2. Unauthorized copying or downloading of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Elgin Community College or the end user does not have an active license is strictly prohibited.
  3. Introduction of malicious programs into the network or server, either knowingly or unknowingly (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  4. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
  5. Use of Elgin Community College’s technological environment to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
  6. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  7. Port scanning and security scanning is expressly prohibited unless these duties are within the scope of regular duties. These duties are possessed only by members of the College’s Information Technology department.
  8. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal responsibilities. These duties are possessed only by members of the College’s Information Technology department.
  9. Circumventing user authentication or security of any host, network or account.
  10. Interfering with or denying service to any user other than the employee's host (e.g., denial of service attack).
  11. Using any program, script or command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet or Intranet.
  12. Sending or receiving harassing, threatening, abusive or annoying communications regarding age, gender, sexual orientation, race, religion, political orientation, national origin, or disability.
  13. Usage of technological resources for profane and/or pornographic content.
  14. Providing network access to any unauthorized person or system.\
  15. Usage of Elgin Community College’s technological resources for unauthorized activities for another organization.

Enforcement

Any Client found to have violated this Administrative Procedure may be subject to disciplinary action, up to and including termination of employment or contractual agreement.