The district computer network is a vital resource to faculty, staff and students for academic and administrative purposes. The district is committed to maintaining the integrity, confidentiality, and availability of college data. Student data and employee privacy information, are areas that must be protected from intrusion and inappropriate use or disclosure.
Everyone at the college has a responsibility to assist with the implementation and enforcement of this policy.
Users may not, under any circumstances, allow unauthorized individuals to access their account without permission from the system administrator. Authorized users are responsible for proper use of the system, including password protection.
A user who discovers a possible security lapse on any system is obligated to report this to their administrator (Supervisor or Dean), or to Information Technology. The system must not be used until the system administrator has investigated the problem and issued a clearance.
Knowledge of passwords or of loopholes in computer security systems shall not be used to gain unauthorized access or otherwise make use of information for which proper authorization has not been given.
Computer users should report suspicious activity immediately to their administrator (Supervisor or Dean), or to Information Technology.
This policy is especially focused on protecting critical resources and is intended to require those responsible to safeguard the resources in an appropriate manner. Each department will protect college resources and data by adopting and implementing, at a minimum, the set of security procedures provided here.
All networked devices must have all available patches installed that address security vulnerabilities. Vulnerable systems face disconnection from the college network. Delaying installation until a convenient time, such as semester breaks, is unacceptable when the patch addresses security.
All computers connected to the college network must be running current anti-virus software, and must check for updates at least daily, preferably hourly. The minimum standard for anti-virus software is to meet or exceed the effectiveness of the software products site-licensed by the college. Non-compliant or infected systems are subject to removal from the network.
All networked devices with access to college resources shall require adequate passwords or an alternate secure authentication system (e.g., biometrics or Smart Cards). College computer account owners have a responsibility to construct, secure, and maintain their passwords in accordance with the requirements specified in the Password Construction and Maintenance Guidelines document which can be found on the IT website, or by contacting IT. Passwords will be set to expire on a regular and systemic basis.
The college controls user access with signature authority. An administrator (Dean or above) must authorize the creation of a user account. Accounts shall be created based on least privilege required to meet the needs of the account holder. Access requirements should be reviewed for changes regularly to ensure permissions are based only on current duties and responsibilities.
Accounts are deactivated upon faculty/staff separation. An administrator (Dean or above) must authorize the disposition of any user files in a timely fashion (usually 10 days), or the account is automatically deactivated with no possibility of subsequent data retrieval.
Accounts are assigned to a single individual (use of group accounts is not permitted unless special circumstances warrant it).
Account owners are responsible for any activity initiated from their account.
Accounts are configured to lock after repeated login failures.
Accounts shall be monitored regularly by IT for inactivity and suspicious activity.
The Information Technology department will maintain list of current users and permissions.
Devices must be configured to "lock" or logoff and require a user to re-authenticate if user leaves device unattended. The time limits will be communicated by Information Technology.
Mission-critical systems and systems containing regulatory-protected data (e.g. FERPA, HIPAA, etc.) must be located in a locked location accessible only to authorized personnel. Protected data must not be downloaded and stored on a portable device e.g. a college laptop or USB drive, to protect from data theft.
All wireless access points must be approved and installed by Information Technology. Personal computers and devices may not be directly connected to the college network as this poses a significant risk of virus infection inside the firewall.
Regarding the Datatel Colleague student information system, system access is administered by data stakeholders as identified by the Colleague Application Support Team (CAST) committee. Access to data is set up by job function. Only appropriate personnel are set up to view data, and only appropriate personnel are set up to modify data. The addition of Datatel system access and assignment of a Datatel security class to an employee requires signature authority from the CAST member responsible for the data. Information Technology maintains a list of employee names and assigned access.