This document sets forth Mott Community College (“college”) policy with regard to access to, review or disclosure of information via electronic media and all other forms of communications delivered or received by college employees, contractors, consultants, and temporaries (hereinafter, “personnel”). This policy does not constitute a contract and the college reserves the right to change it at any time.
Information systems include all methods of electronic communications including, but not limited to, the use of cell phones, telephones and voicemail, internet, message boards, email systems, instant messaging systems, and personal digital assistant (PDA) devices used for college business. The information systems are those used to carry out college business and include those provided to personnel at the College’s expense, those owned by personnel with the ongoing expenses paid for by the college or personal systems used to carry out college business. This policy applies whether information systems are standalone or connected to a network.
This policy defines baseline information security measures that everyone at college is expected to be familiar with and to consistently follow. These information security measures are the minimum required to prevent a variety of different problems including, but not limited to: unauthorized access to sensitive, protected information, fraud and embezzlement, sabotage, errors and omissions, and system unavailability. This policy also defines the minimum controls necessary to prevent legal problems such as allegations of negligence, breach of fiduciary duty, breach of confidentiality, breach of contract, or privacy violation.
This policy document details reasonable and practical ways for all of us at the college to prevent unnecessary losses and is in addition to any other college policies governing security and/or confidentiality. Information and information systems are necessary for the performance of just about every essential activity at the college. If there were to be a serious security problem with this information or these information systems, the college could suffer significant legal and/or other consequences, including loss of college stakeholders, and degraded reputation.
— Communications using information systems should be treated in the same way as confidential printed materials. Here are three common circumstances you should avoid where confidentiality of information can be breached:
Personnel must exercise a greater degree of caution in transmitting confidential information electronically (such as email) than they take with other means of communicating information, (e.g., written memoranda or letters) because of the reduced human effort required to redistribute such information:
In order to further guard against dissemination of confidential information, personnel should not access electronic messages (such as email) for the first time in the presence of others. Personnel must also be careful not to discuss sensitive information when in public places like hotel lobbies, restaurants, and elevators. Displaying sensitive college information viewable by others on a computer screen or hardcopy report is prohibited when a user is in a public place, such as seated on an airplane.
Personnel must be careful not to provide sensitive information in voicemail messages or alphanumeric pager messages that could be accessed by someone other than the intended recipient of the information. Caution should also be used when using certain forms of information systems such as wireless devices (e.g., cell phones, PDAs, instant messaging, etc.). While these are often used to send business communications that aren’t a security risk, do not rely on them for confidential communications due to the possibility of compromise.
— The security of our information and information systems can be compromised if your passwords are easy to discover.
- All sensitive information (such as personal records, social security numbers, financial accounts info, credit card numbers, medical records and information related to unique processes or devices patented by the college) must be encrypted when not in active use, e.g., when not manipulated by software or viewed by an authorized user. The use of physical security measures such as safes, locking furniture, and locking office doors is recommended as a supplementary measure to protect sensitive information. Information systems handling sensitive information must securely log all significant computer security relevant events. Examples of computer security relevant events include password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software. Use of an erase feature is not sufficient for deletion of sensitive information because the information may be recoverable. For technical support in deleting sensitive information, contact the ITS help desk.
— Information about security measures for college computer and network systems is confidential and must not be released to people who are not authorized users of the involved systems unless approved by the Director of Information Security.
— Personnel must not test or attempt to compromise computer or communication system security measures unless specifically approved and directed by ITS. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise information security measures may be unlawful, and will be considered serious violations of college policy. Shortcuts bypassing system security measures, pranks, and practical jokes involving the compromise of information system security measures are prohibited. Unless specifically authorized by ITS, personnel must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information security. Examples of such tools include those that defeat software copy protection, discover sensitive passwords, identify security vulnerabilities, or decrypt encrypted files.
— All suspected policy violations, system intrusions, virus infestations, or other information security alerts that indicate a potential risk to college information or college information systems must be immediately reported to the ITS help desk.
— college management reserves the right to revoke system and account access privileges of any user at any time. Conduct that interferes with the normal and proper operation of college information systems, which adversely affects the ability of others to use these information systems, or that is harmful or offensive to others is not permitted. Non-compliance with this information security policy, and all related standards or procedures, is grounds for disciplinary actions up to and including termination of employment.
— Inappropriate use of information systems can compromise information security. Therefore, you should also reference the college Information System Use Policy.