Introduction

This document sets forth college policy with regard to the use of information systems by college employees, contractors, consultants, and temporaries (hereinafter, “personnel”). This policy does not constitute a contract and the college reserves the right to change it at any time.

Information systems include all methods of electronic communications including, but not limited to, the use of cell phones, telephones and voicemail, internet, message boards, email systems, instant messaging systems, and personal digital assistant (PDA) devices used for college business. The information systems are those used to carry out college business and include those provided to personnel at the College’s expense, those owned by personnel with the ongoing expenses paid for by the college or personal systems used to carry out college business. This policy applies whether information systems are standalone or connected to a network.

Policy Statements

Access to Systems

— As a normal course of business, access to various information systems, including internet access and email will be provided to personnel. This is done to facilitate business communications. Upon termination or departure of a user ITS will make appropriate access control changes as appropriate.

Business Use/College Access, Deletion and Disclosure

— college information systems are to be used for business-related purposes and to transmit business information. Incidental personal use of information systems is subject to this policy and will be treated in the same manner as that used for business-related purposes. Personnel must have no expectation of privacy when using information systems at college, i.e., the college treats all communications sent, received or stored on information systems as business communications.

  1. Incidental personal use is only permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business purposes, does not interfere with user productivity, and does not preempt any business activity. Enforcement of this policy is the responsibility of the user’s manager.
  2. The college has the capability to access, review, copy, and delete any communications sent, received or stored on electronic media systems. The college reserves the right to access, review, copy, or delete all such messages for any purpose and to disclose them to any party (inside or outside the College) it deems appropriate.
  3. The college has the capability to monitor, track, and review all access to the Internet. The college reserves the right to monitor, track, and review all such access for any purpose and to disclose it to any party (inside or outside the College) it deems appropriate.
  4. Should employees make incidental use of information systems (including Internet access) to transmit personal messages, such messages will be treated no differently from other messages, i.e., the college reserves the right to access, review, copy, delete, or disclose them for any purpose. Accordingly, employees should not use information systems to send, receive, or store any messages that they wish to keep private. Users should treat information systems like a shared file system—with the expectation that messages sent, received, or stored in the system (including individual hard drives) will be available for review by any authorized representative of the college for any purpose.

Prohibited Uses

— Use of information systems to engage in any communications that are in violation of college policies, including but not limited to, transmission of defamatory, obscene, offensive, or harassing messages, or messages that disclose personal information about other individuals without authorization, is prohibited, as well as:

  1. Transmitting any college confidential or proprietary information, including personal data, financial data, or other material unless required in the normal course of an employee’s regular duties.
  2. Sending messages so that it appears to originate from anyone other than you. This includes “spoofing” another user, or sending a message from another user’s account.
  3. Publishing college confidential or proprietary information on an external web site or web log (i.e., “blog”)
  4. Use of information systems to copy and/or transmit any documents, software, or other information protected by copyright laws. Please refer to the College’s Copyright Policy.

Communications Etiquette

— Please bear in mind that your messages may be read or heard by someone other than the parties you send them to and may even someday have to be disclosed to outside parties or a court in connection with litigation. Accordingly, please take care to ensure that your messages are courteous, professional and businesslike.

Storing and Deleting Electronic Messages

—The college strongly discourages the storage of large numbers of electronic messages, in an online mailbox or in personal folders, for a number of reasons. First, because these messages frequently contain confidential information, it is desirable to limit the number, distribution and availability of such messages in order to protect the College’s information. Second, retention of messages requires large amounts of storage space and can slow down system performance. Finally, in the event that the college needs to search for important documents, the fewer documents that have to be searched, the easier the search will be. Accordingly, personnel are to promptly delete any messages they send or receive that no longer require action or are not necessary to an ongoing project. However, please keep in mind that all electronic messages are subject to the Retention Schedule section of college’s Records and Knowledge Management Policy and Procedure Manual.

Virus Protection Programs

—All personal computers must continuously run the current version of college’s anti-virus detection software package. The current version of this anti-virus software package must be automatically downloaded to each personal computer when the computer is connected to the college internal network. Personnel must not interfere with this download process. At a minimum, this package must execute whenever data is accessed from external storage media.

Eradicating Viruses

— Personnel must not attempt to eradicate a virus without expert assistance. If personnel suspect infection by a virus, they must immediately stop using the computer in question, physically disconnect the computer’s network cable, and contact the ITS help desk. If the suspected virus appears to be damaging information or software, personnel must immediately turn off the personal computer.

Experimenting with Viruses

— Personnel must not intentionally write, compile, copy, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any college computer system.

Archival Copies

— The installation media for all personal computer software that is not standard college software must be copied prior to its initial usage and such copies must be stored in a safe and secure location. Vendor-supplied installation media must not be used for ordinary business activities, but must be reserved for recovery from virus infections, hard disk crashes, and other computer problems. Documentation about the licenses for such software must be retained to qualify the College for technical support, upgrade discounts, and to verify the legal validity of the licenses.

Changes to Application Software

— the College has a standard list of permissible software packages that personnel can run on their college computers. The current list of permissible software is available on the College intranet for review. Personnel must not install other software packages on personal computers without obtaining advance permission from ITS. Personnel must not permit automatic software installation routines to be run on College personal computers unless these routines have been approved by the college ITS. As part of normal operating procedures, upgrades to authorized software will be downloaded to personal computers automatically, without the involvement of individual users. Unapproved software may be removed without notice to the involved user. All acquisitions of personal computer software must be coordinated through ITS by contacting the ITS help desk. Personnel should report personal software loaded on College personal computers to the ITS help desk if they suspect the deployment of such software has not been coordinated through ITS.

Lending Personal Computers to Others

— Personnel must never lend a college personal computer containing sensitive information to another co-user unless that co-user has received prior authorization from the information owner allowing access to the sensitive information in question. College personal computers must not be loaned to or shared with non-personnel or other outside parties.

Modems

— Modems inside or attached to college office desktop personal computers are not permitted. Mobile and telecommuting personal computers are an exception to this rule. When in college offices, users needing to make outbound connections with remote computers must route their connections through modem pools or the Internet firewall.

Transferring Sensitive Information

— Sensitive college information may be transferred from a multi-user system to a personal computer only if a clear business need exists, adequate controls to protect the information are currently installed on the involved personal computer, and advance permission from the information owner has been obtained. This policy is not intended to cover electronic mail or memos, but does apply to databases, master files, and other information stored on minicomputers, servers, and other multi-user machines. This applies regardless of the media on which information is stored, the locations where the information is stored, the systems technology used to process the information, the people who handle it, or the processes by which information is handled.

Establishing Networks

— Personnel must not establish electronic bulletin boards, local area networks, modem connections to existing internal networks, Internet commerce systems, or other multi-user systems for communicating information without the specific approval of the ITS Department.

Automatic Device Synchronization

— Systems that automatically exchange data between devices, such as a personal digital assistant and a personal computer, must not be enabled unless the systems have been evaluated and approved by college ITS.

USB Storage Devices

— Personnel should not copy college confidential information to personal storage devices such as “key ring” hard drives that connect to PCs via USB. Portable storage devices can be easily lost or stolen and represent a compromise to college confidential information.

Positioning Display Screens

— The display screens for all personal computers used to handle sensitive or valuable data must be positioned such that the information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. Care must also be taken to position keyboards so that unauthorized persons cannot readily see personnel enter passwords, encryption keys, and other security-related parameters.

Changes to Operating System Configurations

— On college-supplied computer hardware, personnel must not change operating system configurations, upgrade existing operating systems, or install new operating systems. If such changes are required, they will be performed by ITS personnel, in person or with remote system maintenance software.

Changes to Hardware

— Computer equipment supplied by college must not be altered or added to in any way without the prior knowledge of and approval from authorized ITS personnel.

Periodic Backups

— All sensitive, valuable, or critical college information stored on college file servers will be periodically backed up. Such backup processes will be performed at least weekly. Personnel are responsible for storing sensitive, valuable, and critical college information on college file servers, such as personal network drives or departmental servers either in addition to, or as a required alternative to, storing such documents on the user’s personal computer.

Consequences of Non–compliance

— college management reserves the right to revoke system and account access privileges of any user at any time. Conduct that interferes with the normal and proper operation of college information systems, which adversely affects the ability of others to use these information systems, or that is harmful or offensive to others is not permitted. Non-compliance with this information system use policy, and all related standards or procedures, is grounds for disciplinary actions up to and including termination of employment.

Information Security Policy

— When using information systems, you must take certain precautions to secure the information being processed. Therefore, you should also reference the College Information Security Policy.