Computer/Network Acceptable Use Policy
Access to computer systems and networks owned or operated by The College of St. Scholastica is a privilege which imposes certain responsibilities and obligations and is granted subject to College policies and local, state, and federal laws. The objective of this policy is to ensure an available, reliable, secure, and responsive network environment at The College of St. Scholastica. It is the responsibility of each User to ensure that the College's technology is used appropriately.
ACCEPTABLE USE POLICY
Any activity that compromises the performance of the College's computers and/or network such that others are negatively affected is not acceptable. Acceptable use is always ethical, reflects academic honesty, and shows restraint in the consumption of shared resources. It demonstrates respect for intellectual property, ownership of data, system security mechanisms, and an individual's rights to privacy and freedom from intimidation, harassment, and unwarranted annoyance. If any use adversely impacts the network, the user will be asked to reconfigure his or her work so that network impact is avoided.
Examples of inappropriate use at any time include but are not limited to:
· Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by The College of St. Scholastica.
· Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which St.Scholastica or the end user does not have an active license.
· Introduction of malicious programs onto any device connected to the campus network (i.e., viruses, worms, Trojan horses, e-mail bombs, etc.).
· Revealing your account password to others or allowing use of your account by others. This includes student employees as well as family and other household members when work is being done at home.
· Using a St. Scholastica computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
· Making fraudulent offers of products, items, or services originating from any St. Scholastica account.
· Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
· Port scanning or security scanning is expressly prohibited unless prior notification to the Information Technologies Department is made.
· Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
· Circumventing user authentication or security of any host, network or account.
· Interfering with or denying service to any user or network (i.e. denial of service attack).
· Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
SOFTWARE LICENSING COMPLIANCE POLICY
Software may only be used in compliance with applicable license and purchasing agreements. Only authorized copying of files or programs and authorized program utilization are ethical and legal. The Information Technologies Department is charged with the responsibility for enforcing software licensing compliance for the College. Please refer to the IT Support Standards for detailed information.
The purpose of this policy is to prevent unauthorized access to the College's or individual's data/information stored on the Network. At the same time, we are striving to achieve three goals necessary for a productive networking environment, namely:
· Availability - ensure that systems, networks, applications, utilities and data are on-line and accessible when authorized users need them for uses and purposes consistent with the College's mission and goals.
· Integrity - protect College information, data, or software from improper modification or access (i.e. virus or unauthorized access).
· Confidentiality - assure that sensitive data is read only by authorized individuals and is not disclosed to unauthorized individuals or to the public.
While not identified as a goal, per se, every effort will be made to implement security measures that will not impact performance of the network. In order to ensure this environment for all students, faculty, and staff associated with the College, users are responsible for taking reasonable precautions to maintain the security of information stored on, or accessed by, their computer system(s).
Anyone who attempts to disable, defeat or circumvent any security measures will be in violation of this policy. Access to the CSS network increases the vulnerability of whatever equipment is connected to the network. While the following measures can reduce the risk of exposure, CSS makes no warranty, either explicit or implied, with respect to security measures implemented on the network or computing resources. Users shall be responsible for their own security measures to protect hardware, software and data.
Individual Computer Policy
Users are responsible for maintaining security controls on their college-issued computer equipment that connects to the College's Network, including but not limited to: encryption of laptops that may contain confidential information; current antivirus software; up-to-date system patches; and screen saver passwords. Computers owned by the College will be configured in this manner. Please note that confidential data is not to be stored on desktops or any auxiliary storage device. Please reference the Computer Desktop Security Standard for additional information.
What could happen when you share your password?
If you share your network password (or logged on personal computer) with another user, this user will then have access to any private data and programs that are accessible through use of your password. This would include data in your own computer and files as well as data in other users' files and in any shared files that you have special permission to use. You are responsible for any unauthorized access to confidential data that is thus made available. You are also responsible in case of accidental or purposeful erasure and/or tampering with your data. It is possible that this user might accidentally or intentionally damage systems software and that such an incident would be traced back to your computer or user id. You are responsible for any damage made possible by the sharing of your password.
· If you share your e-mail password with other users, they could send mail to others using your password and your name. If a user sends e-mail locally that is malicious or embarrassing, the received e-mail will look like it came from you. A malicious, naive, or inattentive user could send off campus e-mail that might jeopardize St. Scholastica's permission to access parts of the Internet. You are responsible for the uses that are made of your e-mail password
What can you do to secure your ID and password?
Examples of activities that help ensure a secure network include, but are not limited to, the following:
· Log off of general use computers (labs and work rooms) when not using them.
· Choose passwords wisely and to keep them secret [see Password Policy].
· Do not aid or allow any unauthorized person to use College computer or network equipment.
· Access the network and data in an authorized fashion only. Using someone else's password to access unauthorized services or data is a violation of this policy, regardless of how the password was obtained. Do not use anyone else's password.
· Ensure your workstation, when logged on to the network, is reasonably secure in your absence from your office. Examples include but are not limited to:
o Enable windows security by hitting the windows key and the "L" key at the same time.
o Locking your office door when absent or logging out
· Never type a password for an unknown person.
· Never send security related information (i.e. a password) over e-mail.
· Do not give accounts or passwords to anyone over the phone or unknown service technicians.
· Do not attempt to break into accounts or bypass security measures in any way.
· Password protect your mobile phone and use available encryption features to protect sensitive data, including work email, that may be contained on it.
· Do not configure your web browser to remember passwords or form data.
o To do this in Internet Explorer: Go to Tools - Options-Content- Autocomplete- Settings-Uncheck All boxes.
o In Firefox: Go to Tools -Options -Privacy -History -Never Remember History
· If you should inadvertently obtain information to which you are not entitled or become aware of a breach of security pertaining to any computing service, immediately report the incident to the IT Security Manager, extension 7097, or the Chief Information Officer, extension 5966.
What is the College doing to help protect information on the network?
To support the identified goals of this Policy, the Information Technologies Department:
· Is responsible for managing and overseeing security to ensure privacy and integrity of user information. This will include reasonable efforts to:
o Shared programs and data are available to users and are invulnerable to accidental erasure and/or tampering.
o E-mail and private user information (on servers) is invulnerable to accidental erasure and/or tampering.
o Backups of both public and private server information, at least weekly, to ensure that any information lost, erased, or corrupted can be recovered.
· Monitors the system for security breaches and unauthorized activity using available security utilities and software.
· Utilizes a variety of network equipment to assist in the safety and security of the College's networks.
· Uses available utilities to ensure secure movement of data within the CSS network and over the Internet.
· Takes reasonable precautions to minimize network and machine downtime.
The primary purpose of the College's e-mail system is for correspondence relating to the mission of the College. E-mail is a resource provided to the College Community to enhance the performance and productivity of the College. The College community recognizes that the hardware, software, and network resources used by the e-mail system as well as e-mail correspondence are owned by the College.
The following actions are not allowed:
· Sending unsolicited e-mail messages or newsgroup posts, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (e-mail spam).
· Any form of harassment via e-mail, telephone or paging, whether through language, frequency, or size of messages.
· Unauthorized use, or forging, of e-mail header information.
· Solicitation of email for any other e-mail address, other than that of the poster's account, with the intent to harass or to collect replies.
· Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
· Use of unsolicited e-mail originating from within St. Scholastica 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by The College of St. Scholastica or connected via St. Scholastica 's network.
E-mail communications are not considered private despite any such designation or functionality within the software application, either by the sender or the recipient. Access to the College's e-mail services is a privilege that may be wholly or partially restricted by the College without prior notice and without consent of the e-mail user when required by and consistent with law when there is a substantiated reason to believe that violations of policy or law have occurred or, in time sensitive cases, when required to meet critical operational needs. The administrators of the College's e-mail system may, within certain limits, block mail including external, unsolicited, bulk e-mail (spam) or viruses.
Sending messages to groups:
· Do not select the entire address list for inclusion in the to:, cc: and/or bc: fields.
· Send only to those people who "need to know" the information
· Never use the Return Receipt option when sending to large groups
Security of E-mail
· Never open an attachment or click on a web link from a person that you do not know. Many phishing scams involve an infected attachment or web link that looks to be from a legitimate bank or financial institution.
· Be aware of the potential for forged e-mail. One example is that a person has acquired another individual's password and that person pretends to be the other individual and sends forged e-mail.
· Be extremely careful when executing programs you receive via e-mail, as they may contain viruses that could be dangerous to the network, servers, or your computer.
· Users should be sensitive to the public nature of the shared computing facilities and take care to refrain from transmitting to others in any location inappropriate images, sounds, or messages which might reasonably create an atmosphere of discomfort or be considered harassing.
· Do not say anything you would not want others, besides your correspondent, to read. Messages meant to be confidential can be intercepted during or after transmission, and even deleted messages might have been stored on backup tapes. Users are advised not to send confidential College communications via e-mail. The College will make every attempt to assure the security of the e-mail system, however, this is not a guarantee.
· The College does not monitor e-mail communications as a matter of routine. However, Users understand and consent to any monitoring, interception, use or disclosure of e-mail communications deemed necessary by the College in its discretion for the purpose of investigating and enforcing its Acceptable Use Policy, maintaining the integrity and efficient operation of the College's systems, or as may be required in connection with legal requests from governmental authorities.
· The College can assure neither privacy of an individual user's use of the e-mail resources nor the confidentiality of particular messages that may be created, transmitted, received, or stored.
· Backup copies may be retained for periods of time even if the user has deleted the message from his account.
· IT members may, in the course of routine system maintenance, troubleshooting, upgrades, etc, inadvertently see the content of e-mail messages.
· E-mail account holders are expected to comply with College requests for copies of e-mail records in their possession that pertain to College business or whose disclosure is required to comply with applicable laws.
· E-mail account holders may, under certain conditions, have e-mail files accessed by others when it relates to College business.
· Do not send confidential information via e-mail such as social security numbers, account passwords, or credit card numbers.
Authorized Users of CSS computer networks and resources include faculty, staff, contracted Application Service Providers, contract employees, official guests and all currently registered students. Temporary privileges will be given, as appropriate, for official guests at the College. Unauthorized users may not use the College's computer systems or networks.
Contract employees must read and sign the "contract employee" agree in Human Resources.
The College's network, and computing resources connected to it, are designed to be used for College purposes. Authorized users may utilize the College's network and computing resources for their own use on their own time as long as that use abides by all College policies and local, state, and federal laws.
The College expects users to be responsible in their use of the system. Faculty, staff, employees, and agents of the College agree to refrain from any private communication which suggests that there is College approval of such communication.
The College does not intend, as a matter of policy, to monitor the use of technology (including e-mail) and will respect individual privacy to the extent feasible. However, users understand and consent to any monitoring of network services deemed necessary by the College in its discretion for the purpose of investigating and enforcing its Computer and Network Policies, maintaining the integrity and efficient operation of the College's systems, or as may be required in connection with legal requests.
The system is owned by the College and the College maintains the right to provide further regulation, as it deems appropriate, to limit use or access, and to monitor the systems used for security purposes. Users, by their use of the system, acknowledge the College's rights in this regard.
The College cannot completely guarantee the security and integrity of any information placed on the network, including personal data or programs placed on the network or individuals' workstations. While reasonable measures are being taken to ensure the availability, integrity, and confidentiality of information on the network, there is still the threat of natural disaster, sophisticated hackers, and password violations which could jeopardize the system. Information stored on network servers is backed up, and therefore, recoverable.
In the event that this Policy is questioned, the Chief Information Officer is authorized to provide interpretation of this policy. Users violating this Policy will be required to discontinue their inappropriate use immediately. Any further violation may lead to the loss of network privileges as approved by the appropriate Dean or Vice President. Offenders are also subject to College disciplinary procedures as well as criminal or civil prosecution. Any appeals should follow appropriate College grievance procedures.