Administrative Procedures for Physical Resources
To view text in a larger font, please increase the zoom percentage option at the bottom right corner of your browser.
BOT Policy V.1 Information Security (9/10)
Information Technology Procedure
Reference: Board of Trustees Policy 3.34
AUDIENCE AND SCOPE
Mohawk Valley Community College is committed to providing its employees, students and partners with current technology and computing resources and to protect them from illegal or damaging actions committed, either knowingly or unknowingly, by individuals who use these resources. Therefore, to protect themselves and others, all MVCC employees, students, alumni, contractors, consultants, temporary employees, tenants and guests of MVCC are required to adhere to the established procedure related to all College Information Systems, including:
- MVCC owned and supported desktop and laptop computers
- Non-MVCC computers used to access MVCC network resources.
- Voice and data networks, wired and wireless, that are owned and operated by MVCC, and any equipment directly attached to them (such as personally owned laptops, computers, networking devices, etc.)
TERMS OF COMPUTING & NETWORK USAGE
- It is expected that primary use is restricted to any activity that supports the Mission, Vision and Purpose of the College. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. If there is any uncertainty, employees should consult their direct supervisor, the Director of Human Resources, or the Executive Director of Information Technology. MVCC desires to provide reasonable levels of privacy; however, users should be aware that all material and data they create on the College's systems may be requested and possibly disclosed under the Freedom of Information Law (FOIL).
- MVCC aspires to provide, but cannot guarantee, a reasonable expectation of electronic privacy in use of its computing and networking systems. However, all best practice and reasonable anti-intrusion systems and software will be maintained.
- All information stored, processed, or transmitted by computer users may be monitored or legally disclosed to appropriate personnel, or law enforcement agencies. Any such monitoring or disclosure shall be conducted for a stated purpose, and will expose confidential information as minimally as possible and only as needed for the stated purpose. The MVCC Director of Human Resources must approve, in writing, the monitoring and/or dissemination of any individual’s e-mail communications or stored data.
- Any information that is considered Personally Identifiable Information (PII) that college procedure indicates is sensitive or confidential must be appropriately protected as described within this procedure.
- MVCC will implement anti-intrusion, anti-virus, anti-SPAM and other appropriate systems in order to provide a secure and private computing environment.
- MVCC reserves the right to block all Internet communications from sites, hosts or devices that are involved in disruptive or damaging practices, or that provide services that may expose the College to legal liability, or that are deemed to not meet the Mission, Vision or Purpose of the College.
- MVCC reserves the right to prioritize the allocation of network resources in times of peak resource demand.
- MVCC makes no warranties of any kind for the access being provided, and assumes no responsibility for the quality, availability, accuracy, nature, or reliability of the material accessed from the internet.
- MVCC will not be responsible for any damages suffered by a user resulting from the use of the Internet. MVCC will not be responsible for any unauthorized financial obligations resulting from the use of the Internet.
- Authorized users are responsible for the security of their passwords and accounts and are responsible for any violation that may originate from their computer or account.
- Personally Identifiable Information (PII) or other sensitive data must not be stored on local hard drives or removable media (including but not limited to floppy disks, PDAs, flash/thumb drives, writable CDs, DVDs or portable hard drives).
- All devices connected to MVCC networks, whether owned by the employee or MVCC, shall have current anti-virus and operating system security patches installed.
- It is the responsibility of employees to physically secure their mobile devices. Any instances of theft of MVCC equipment must be reported to the MVCC Director of Campus Safety and Security for on-campus incidents. For off-campus incidents, it is the responsibility of the employee to report the theft to the appropriate police agency, with a copy of the report filed with the Director of Campus Safety and Security.
- MVCC reserves the right to audit networks and systems to ensure compliance with these procedures.
The following is expressly prohibited:
- Activity that is illegal under local, state, federal or international law while utilizing MVCC-owned computers or networks.
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property.
- The installation or distribution of "pirated" software products that are not appropriately licensed for use by MVCC.
- The installation of “Bootable Devices” on any PC or Laptop.
- Unauthorized copying of copyrighted material including, but not limited to, digitized and distributed photographs from magazines, books or other copyrighted sources, copyrighted music or videos, and any copyrighted software for which MVCC or the end user does not have an active license.
- Misrepresenting one's identity or relationship to the College when obtaining or using College computers or networks.
- Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws.
- Introduction of malicious programs into the network or servers (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Using an MVCC computing asset to actively engage in procuring or transmitting material that is in violation of anti-pornography, sexual harassment, libel, slander or hostile workplace laws in the user's local jurisdiction.
- Using an MVCC computing asset for private commercial purposes or making fraudulent offers of products, items, or services originating from any MVCC account.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Port scanning or security scanning.
- Executing any form of network monitoring which will intercept data not intended for the employee's host device, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any device, network or account.
- Interfering with or denying service to any user (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind with the intent to interfere with or disable a user's terminal session, via any means, locally or via the network
- Providing information about, or lists of, MVCC employees to parties outside MVCC, unless within the scope of one’s job or due to FOIL requests, and with appropriate approval.
- Using the College's email system (outside of MVCC Today) to solicit or advertise personal products, productions or other items or events not related to the College's stated mission, vision and purpose unless the user has obtained prior approval from his or her direct supervisor.
- Any form of harassment via email, telephone, instant messaging, or other electronic means, whether through content, frequency, or size of messages.
- Unauthorized use or forging of email header information.
- Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
- Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
- Use of College equipment and communication systems by employees or other authorized users to attempt to influence legislation or in any other way lobby elected officials, except on behalf of SUNY or the College.
- Blogging that does not fall within the Mission, Vision or Purpose of the College.
Open Lab Computers: Computers in Open Labs are available for use by all current MVCC students, staff, Board of Trustees members and emeriti. Restrictions may apply if there are no lab supervisors available at the time access is requested. A valid MVCC ID Card may be requested for verification. Student, faculty and staff computer access is gained by one’s username and password.
Teaching Lab Computers: Teaching Lab Computers are accessible to all MVCC students and faculty during a class period.
Office computers: Only active MVCC employees (excluding students), who hold a Network Account for access to the MVCC Domain are authorized to access faculty and administrative office computers, unless otherwise authorized by the area Dean/Supervisor or the Executive Director of Information Technology.
Employee Wireless: Pre-configured MVCC equipment and/or employees’ personal computers are provided with wireless technology if all provisions of antivirus and operating systems security patches are met. WiFi access to PDAs is not supported.
Classroom Ports: Active network ports in classrooms may only be used by faculty or staff if arrangements are made in advance with the Information Technology Department. Under no conditions should a preexisting network connection be unplugged without the approval of the Information Technology Department.
Operating Systems and Anti-Virus Updates: MVCC owned computers, upon connection to one of the network domains, will have patches and updates automatically downloaded and installed.
Banner Forms (‘INB’) - All employees who hold a Network Account, with Banner Supervisor approval, are authorized to access those areas of Banner INB in which they have a legitimate business interest. Banner Supervisors are defined as follows:
- Banner Student – Registrar
- Banner Admissions – Director of Admissions
- Banner Finance – Controller
- Banner Payroll – Senior Financial Analyst
- Banner Student Accounts Receivable - Bursar
- Banner Human Resources – Director of Human Resources
- Banner Advancement – Executive Director of Institutional Advancement
- Banner Financial Aid – Director of Financial Aid
- Banner Advisement (DegreeWorks) – Asst. Dean of Student Enrollment and Advisement
- Banner General – Executive Director of Information Technology
Users should not log onto Banner for the purpose of providing someone else access to the system.
Periodic Review – Periodically, a report of all individuals who have access to forms within Banner INB will be provided to the Banner supervisor. Any irregularities in access rights must be reported to Information Technology Department for corrective action.
Self- Service Banner (“SIRS”) - All MVCC employees, past and present, have access to Banner Online. Former employees' access is limited to viewing appropriate information such as historical tax-related income forms (i.e. W-2 tax forms). It is the responsibility of the employee to protect his/her Personal Identification Number (PIN).
Argos Accounts - All active employees who hold a Network Account, with Argos Supervisor approval, are authorized to access those areas of Argos in which they have a legitimate business interest. Argos Supervisors follow the same protocol as Banner Supervisors defined under Banner Forms access.
A user should not log onto Argos for the purpose of providing someone else access to the system.
Network and Email Accounts
The following individuals are authorized to hold active Network Accounts and Email Accounts:
- Current employees and students of MVCC
- Former students who have not been unregistered for three (3) consecutive academic terms
- Members of the MVCC Board of Trustees
- Faculty/Staff Emeriti of MVCC
- Retirees, for a period of three years from retirement (and beyond, contingent upon active use)
- Others as approved by the appropriate area Dean/Supervisor and/or the Executive Director of Information Technology
Employee accounts are generally allocated 3GB of email storage and 3GB of file storage. Student accounts are allocated 250MB of email storage and 750MB of file storage.
Employee Email Address Format
The standard email address format is: firstname.lastname@example.org (all lower case) as determined by the employee name on file for HR/Payroll purposes. At the discretion of the appropriate area Dean/Supervisor and/or the Executive Director of Information Technology, employees may request a modified firstname in order to provide an alternate email address. The standard email address will still function.
Upon notification to the Information Technology Department by a Dean, Director, or the Director of Human Resources or designee, an individual's account will be restricted or disabled due to separation of employment or end of affiliation with the College.
All passwords must meet the following standards to be considered valid:
- A minimum of 8 characters
- Can not contain User/Login Name
- Must contain the following two characteristics:
- At least one upper case character
- At least one number
Existing user passwords will automatically expire at least twice per calendar year, typically after 180 days. A newly chosen password must not be the same as the previously used two passwords.
A user has five opportunities to enter his or her password. If s/he does not enter the correct password after five tries the account will be locked and s/he will be prompted to contact the Information Technology Help Desk for a reset.
Sharing account information
A user should not share his/her account password with others or allow use of his/her account by others, with the exception of the Information Technology Department for the purpose of software troubleshooting or installation.
Creation of Generic Accounts is a rare exception to security best practice and will only be done with the approval of the Executive Director of Information Technology.
Users should “lock” their computers when they leave their work stations, for security of data.
Connecting personal equipment to the network
Personal equipment is not allowed to be connected to the MVCC network with the following exceptions:
Virtual Private Network (VPN) - Computers that connect to the MVCC networks from offsite using a Virtual Private Network must have virus protection installed and be current with all patches or updates for the operating system. By using a VPN, users agree that their computers may be remotely inspected to verify the presence of virus protection and patches or updates. Computers may be denied access via a VPN should the virus protection be deemed to be inadequate or it is discovered that patches or updates are missing.
Periodically, the Executive Director of Information Technology will provide to the President’s Cabinet a list of individuals authorized to utilize computing resources via VPN.
Change of Job Duties
In the event that an employee changes jobs within the College, access to computer network resources related to their old job will be discontinued. If access from their former job is still required, written authorization must be obtained from the supervisor for the former job.
If an employee changes jobs, and the new job requires access to any new forms/reports within the Banner System, changes in access must be approved by the appropriate Banner Supervisor(s).
DATA ACCESS PRIVILEGES
Individuals will be granted access to a Department's or Center’s Shared Folder upon approval from that Academic Center’s Dean.
Periodic Review – Periodically, a report of all individuals who have access to a department's network resources will be provided to the Academic Center’s Dean or Department’s Director. Any irregularities in access rights should be reported to the Information Technology Department for corrective action.
Domain Administrator Access
Domain Administrator level access to computer and network systems shall be granted only to specific Information Technology Department personnel as authorized by the Executive Director of Information Technology.
Sensitive data is defined as any data that could provide access to personal information of an individual or institution. Such data includes, but is not limited to, documents and files that may contain Personally Identifiable Information such as financial, human resources, payroll and student information documents and files.
Personally Identifiable Information (“PII”) is defined as any of the following:
- Social Security Number
- Passport Number
- Employee or Student Identification Number
- State or Federally Issued ID numbers (e.g., driver’s licenses).
- Date of Birth
- Maiden Name
- Mother’s Maiden Name
- Credit Card or Financial Account Information
- Results of background or criminal history checks
- Payroll and salary information
- Medical Information
- Accommodation requests and related information
- Biometric data (such as fingerprint, voice print, retina or iris images)
- Digital or other electronic signature files.
Storage of sensitive data
Sensitive data must not be stored on desktop or laptop computer hard drives. Such data must be stored on network servers only. Storing sensitive data on removable media, such as USB flash drives, CD-ROMS and CDRWs is prohibited.
External transmission of sensitive data
Sensitive data must never be transmitted outside of the College system via insecure means, including email and File Transfer Protocol (FTP) unless the data is first encrypted.
FACULTY/STAFF STANDARD SOFTWARE
- MS-Windows XP (Service Pack 2)
- MS-Windows7 (Teaching Faculty Computers, Effective 8/15/10)
- MS-Office 2007
- MS-Outlook 2007
- Internet Explorer7 (IE8 for Windows7 Computers)
Employees should contact the Information Technology Help Desk to arrange for custom software installations. Installation of specialized software is at the discretion of the appropriate supervisor and the Executive Director of Information Technology. Employees are not permitted to perform their own installations without the authorization of the Information Technology Department.
ACADEMIC LABS SOFTWARE
- MS-Windows7 (Effective 8/15/10)
- OSX (Mac Labs)
- MS-Office 2007
- MS-Outlook 2007
- Internet Explorer7 (IE8 for Windows7 Computers)
Customized software installations in Academic Labs will be configured to meet the particular curriculum needs of each individual lab.
Modifications to customized software in Academic Labs will not be performed after the start of each semester’s classes unless authorized by the Executive Director of Information Technology.
COMPUTER ENERGY MANANGEMENT – BEST PRACTICES
- All employee computers should be “shutdown” at the end of the workday.
- When two (2) hours or more of inactivity is expected, the computer should be shutdown; an alternative is to place it in hibernation or standby mode.
- Hard drives should be configured to turn off after 30 minutes of inactivity.
- Computer monitors should be configured to enter power-saving mode after 20 minutes of inactivity.
- Screen savers waste energy and should not be configured.
Telecommuting is defined as the “ability to work at home (or other remote location) using a computer or PDA connected to the MVCC Data Network, servers and its software”. All telecommuting requests must be approved by the appropriate supervisor and the Executive Director of Information Technology. All reasonable software, hardware and security considerations will be provided upon approval of such requests under the assumption that telecommuting is considered a courtesy and not a mandated employee right.
COLLEGE ISSUED LAPTOPS
Fulltime faculty members may choose to be issued either a desktop computer or a laptop. Part time employees may request a loaner laptop from the MVCC Media Center (pending availability).
Upon termination of employment from the College, College-issued laptops must be returned to the Information Technology Help Desk as part of the overall College checkout procedure.
If a fulltime faculty member (who was previously issued a laptop) reverts to part-time employment status, that employee must turn in the laptop to the Information Technology Help Desk. The employee may then request a loaner laptop from the MVCC Media Center.
CELL PHONES AND PDAs
Personal cell phones may connect to the MVCC Email System(s). The Information Technology Department will provide the needed credentials for the connection. The selection, purchase and configuration of personal cell phones are the responsibility of the end-user. End-users should be aware that optimal configurations of cell phones will occur if the phone is compatible with MS-Exchange Server. The Information Technology Department will provide reasonable levels of assistance for personal cell phones, but assumes no liability for their ability to connect and function with MVCC Systems.
Damage to College-issued equipment (laptops, desktop computers, etc) must be reported to the Information Technology Department Helpdesk. Attempts will be made to repair the equipment; as required, equipment will be replaced. In the case of damage due to negligence, replacement will not occur until the Executive Director of Information Technology has documented the damage with the appropriate supervisor. Any repayment of replacement costs or other corrective action is at the discretion of the supervisor and the Director of Human Resources.
MICROSOFT OFFICE SOFTWARE FOR HOME USAGE
Full-time employees may request a licensed version of MS-Office for working at home and will be loaned a CD-ROM with the software. Software installation and all potential risk to personally owned systems is the responsibility of the requesting employee. Before the software is issued, the requesting employee must sign an affidavit that the issued software (to be installed on non-MVCC equipment) will be used for MVCC-related business needs; this form must also be signed by the appropriate supervisor, indicating approval.
DISPOSAL OF SURPLUS COMPUTER EQUIPMENT
- At periodic intervals or due to computer obsolescence, campus computers (in offices and academic labs) will be removed and/or replaced by the Information Technology Department. In the case of bulk removals, the Physical Plant will offer appropriate assistance.
- IT will evaluate all equipment to see if it can be used for another College application.
- IT will arrange for the removal of any and all data from the machine using a hard drive wiping application or degaussing prior to final disposition.
- If appropriate, the Business Office will coordinate the sale or public auction of surplus computers/equipment.
- If old computers are deemed no longer usable, operational or not fit for public sale or auction (by the Information Technology Department), the Environmental Health and Safety Officer will coordinate with a NYSDEC authorized recycling vendor for removal from the College physical inventory and proper disposal.
- Items to be disposed will be recorded with item description, College decal number and item serial number.
- A summary list of equipment to be disposed will be approved by the Executive Director of Information Technology and the Vice President for Administrative Services prior to disposal. Appropriate updates to the Fixed Assets Module in Banner will be maintained.
- Per requirements of the New York State Office of the State Comptroller, the Environmental Health and Safety Officer will retain all certificates and detailed disposal invoices.
- Equipment will be stored in a secure area prior to its disposal.
- A yearly report of Computer Assets will be submitted to the Vice President for Administrative Services for insurance purposes.
DATA PRIVACY AND SOFTWARE USE
Anyone having data representation in a college database has the right to data privacy. There are specific federal and state legal rights involving personal data access, manipulation and dissemination that are afforded to everyone. They address:
- Right of access - "legitimate interest" required in the normal conduct of business
- Manipulation - being accomplished with full knowledge and consent of the file or account owner
- Dissemination of data - only to persons or agencies having a "need to know"
In addition, students have specific rights under the Family Educational Rights and Privacy Act of 1974 including access to their data by themselves and their families. College procedure governing the implementation of the provisions of this Act is detailed in the Student Handbook (“Release of Student Information"). In general, student educational records should be accessible to College faculty and staff when they have a "legitimate educational interest in the data". Personally identifiable information can only be released to other persons or agencies within the limitations described in the procedure.
Data privacy restrictions also apply to the creation and release of student data in response to special external requests outside normal college operations. They specify that:
- Release of student data must conform to the provisions of the Family Educational Rights and Privacy Act. If there is doubt regarding this, please contact the Registrar.
- Use of the data must have a legitimate educational basis. If in doubt, please contact the Vice President for Learning and Academic Affairs.
- Creation of special lists or reports must not unduly interfere with college operations
- Data requests are handled by the Information Officer, the Vice President for Administrative Services.
- There may be a charge for creation of special lists and reports. The current College charge is $50 per hour for computer personnel and computer time to produce the material plus 10 cents per page for the printout. The rates may be changed by the Vice President for Administrative Services.
Individual users are responsible for any violation of any of these procedures that may originate from their computer(s) or account(s). Violations of these procedures may result in disciplinary action, including suspension of privileges, termination of employment, and civil liability. Violations of some portions of this policy may constitute a criminal offense, and may result in the engagement of appropriate law enforcement authorities.
These procedures shall be reviewed by the Executive Director of Information Technology and the President’s Cabinet at least once per calendar year.