13. Acceptable Use Policy

Transcription

1 13. Acceptable Use Policy Purpose Indian River State College s intention for publishing an Acceptable Use Policy is to outline the acceptable use of computer equipment and services at Indian River State College. These rules are in place to protect the employee and Indian River State College. Inappropriate use exposes Indian River State College to risks including virus attacks, compromise of network systems and services, legal repercussions, and loss of stakeholder confidence. Indian River State College is committed to protecting its students, employees, and partners from illegal or damaging actions by individuals, either knowingly or unknowingly. Policy While Indian River State College s administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the college systems is considered the property of Indian River State College. This also includes any files downloaded via the Internet or transmitted via the local network. Because of the need to protect Indian River State College s network and computing resources, management may exercise the right to access and/or examine any information stored on any network device belonging to Indian River State College. , chat conversations, newsgroup postings, and other Internet communications may be seen by millions of Internet users. Therefore, personal views cannot be presented as though they are that of Indian River State College. Only a designated spokesperson for the College may represent Indian River State College or make statements on behalf of Indian River State College that may appear in any format including those available on the Internet such as electronic mail, newsgroups, chat rooms, etc. Under no circumstance is an employee of Indian River State College authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing collegeowned resources. Employees are prohibited from sharing passwords with each other. The IT and Enterprise System departments have procedures in place to assign a new password should an existing password be forgotten or compromised. Users should familiarize themselves with the Information Security Policies and Procedures Section 12 Password Policy for rules on constructing strong passwords. All access to the Administrative Data Systems (i.e., Mariner, Financier, etc.) will be requested based on the user s job responsibilities and by the appropriate Administrator. The request must be approved by a Vice President. Proprietary Information Use of software that violates the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not

2 appropriately licensed for use by Indian River State College is not permitted. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Indian River State College or the end user does not have an active license is strictly prohibited. Confidential Information This information is sensitive in nature to either the institution or individuals. Access to this information must be tightly restricted based on need to know. Additionally, all information protected by Federal or State laws or regulations (referred to throughout this document as protected information ) shall be treated as confidential. Examples include personal information that cannot be found in the public domain (e.g., Social Security Numbers, account numbers, date of birth, student grades, etc.), account information (e.g., account balances, payments, etc.), vendor information, and other sensitive information integral to the success of the college. Employees must exercise good judgment in properly handling confidential information. User Workstations Unless authorized by the Dean of Institutional Technology, users may not use workstations to: Store confidential data, including documents referencing confidential information. This data should be stored on secured network shared drives. Install or uninstall software or hardware unless required for completion of job tasks. Reconfigure the system settings, which include hardware and software modification using the control panel unless required for completion of job tasks. Copy or move confidential data to external media (i.e, floppy disk, writable CD, flash drives, etc). Download files from the Internet unless required for completion of job tasks. Allow others to use the workstation without logging off. When left unattended, workstations must be logged off or locked by the user. Systems will automatically lock or log off if there has been no activity for a maximum of fifteen minutes, forcing the user to supply the appropriate password in order to regain access to the system. All workstations with Enterprise Systems applications will have a password protected screensaver that will activate after a maximum of fifteen minutes of inactivity. Users should log off and shut down workstations at the end of each work day. This will facilitate the application of new security patches in addition to generating energy savings. Portable Computers The use of college laptops, notebooks, or other portable computers must comply with all the workstation policies above. When not in use, portable computers must be stored securely. If taken offsite, portable computers should either be in direct control of an authorized employee or physically secured with a locking mechanism accessible only to authorized employees.

3 Storage of Confidential information on portable computers should be limited. If confidential data is stored on a portable computer, it must be encrypted in accordance with the Acceptable Encryption Policy (Section 24 Information Security Policies and Procedures). Unacceptable Use The following activities are, in general, prohibited on Indian River State College computers, network and communication components. Employees may be exempt from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Exceptions require prior approval from the Dean of Institutional Technology or the Dean of Enterprise Systems. The list below is by no means exhaustive, but attempts to provide a framework for activities, which fall into the category of unacceptable use. Intentionally or knowingly using computing and network resources of the College: For personal financial gain or commercial purposes, or non-authorized solicitation of funds except as expressly allowed by college policy. Making fraudulent offers of products, items, or services originating from any Indian River State College account. Effecting security breaches or disruptions of network communication. Port scanning, security scanning, or network monitoring. Circumventing user authentication or security of any host, network or account. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). Forging or altering header or network packet information. Soliciting for any other address, other than that of the poster's account, with the intent to harass or to collect replies. Creating network congestion transmitting excessive or large files to or from the Internet. Uploading, downloading, storing or otherwise knowingly accessing or transmitting in any fashion: o Abusive, hateful, degrading, demeaning, derogatory or defamatory materials, information, or communications that could reasonably incite violence and/or disruption of college operations. Emphasis is added as it pertains to race, color, religion, national origin, gender, sexual orientation, political beliefs, or disability. o Pornographic, obscene, sexually explicit, indecent, or vulgar materials, information or communications. o Any confidential records of Indian River State College, its stakeholders, employees, or vendors without adequate authority to do so or use of proper file encryption. o Any materials or programs, including access and registration codes, which are in violation of copyright protections.

4 o Unsolicited messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material ( SPAM). o Chain letters, Ponzi" or other "pyramid" schemes of any type. o Solicitations or advertisements for products or activities not related Indian River State College business. o Any virus, worm, Trojan horse, trap door, or any other malicious program code. Additional Usage Guidelines Employees must exercise utmost caution when sending any from inside Indian River State College to an outside network to prevent accidental disclosure of sensitive information. The requirements must be followed when ing within and from the Indian River State College network: Auto forwarding of College is prohibited (e.g., Gmail, Yahoo etc). Confidential data, as defined above, may not be forwarded via any means. If confidential information has been received through an , and it must be sent to a new recipient, a new message will be composed. Only the pertinent information will be copied to the new . Any user needing to send confidential information via must secure approval of their administrator and must contact Institutional Technology to ensure appropriate encryption is used. This policy applies to employees use of desktop computers, laptops, smart phones, cell phones, and other hand-held devices, whether provided by the college or owned by the employee. This policy also applies to full-time employees, part-time employees, independent contractors, interns, consultants, agents, and other third parties. Personal Use of Network Resources Employees are responsible for exercising good judgment regarding the reasonableness of personal use of computing or network resources. Employees should be guided by college policies on personal use, and if there is any uncertainty, employees should consult with their supervisor or manager. Employees may access non job-related web sites that do not violate the Acceptable Use Policy during designated break periods. Personal use of the Internet should not occur on systems where the screen is viewable by College stakeholders. Internet access is a privilege and may be revoked at any time. Monitoring Indian River State College may use software and systems to monitor and record all computer, network, or Internet activities. These systems are capable of recording (by user) each Web site visited, chat, newsgroup, or message and each file transferred into and out of our internal

5 networks. No user should have any expectation of privacy as to Internet usage, data transmission, or file storage. If necessary, assigned individuals will review activity logs and report suspicious findings to the appropriate supervisor or member of management. Indian River State College may use hardware and software to identify inappropriate or sexually explicit Internet sites. These sites may be blocked from access based on some specific or general criteria. Indian River State College reserves the right to inspect any and all files stored on College-owned hardware and on any personal media brought on College premises by employees. Enforcement All employees should be aware that severe regulatory, civil, and criminal penalties could result from the misuse or misappropriation of confidential information or college information systems. Campus and network computing resources must be used in a manner consistent with Chapter 815, Florida Statutes Computer Crimes Act and Title 18, United States Code, Electronic Communications Privacy Act of Unauthorized or fraudulent use of the College's computing resources may result in felony prosecution and punishment as provided for in Florida Statutes, Chapter 775, Florida Criminal Code. A violation of the Information Security Policies and Procedures or any of its supporting statements by employees may result in disciplinary actions. Depending on the severity or frequency of the violations, actions may include: Verbal warning Counseling statements for Policy violation Removal or restriction of system access privileges Position/function reassignment. This may lead to a change in the employee s compensation package. Termination of employment Civil or criminal liability under applicable local, state, federal, or international laws Revision History