Information Technology – Acceptable Usage

Administrative Procedure 7.101

Overview

The intent of publishing this Information Technology - Acceptable Usage Administrative Procedure is to protect Elgin Community College’s established shared values within its technological environment. To uphold these values we are committed to protecting our employees, clients, and students from illegal and damaging actions by individuals, either knowingly or unknowingly. Elgin Community College’s (hereinafter termed “College”) technological environment is the property of the College. Securing this technological environment is a team effort involving the participation and support of every Client who accesses the College’s technological environment. It is the responsibility of every computer and/or device user to know these guidelines and to conduct their activities accordingly.

Purpose

The purpose of this Administrative Procedure is to outline the acceptable use of technology at the College to protect its employees, its students, and its data. We intend to gain maximum benefit from our technological environment within the framework of the College’s mission, goals, and values. Inappropriate use exposes the College, its employees, its students, and its data to malicious acts including but not limited to viruses, malware, compromised data and systems, and legal issues.  

Scope

This Administrative Procedure applies to employees, student workers, and any contractors, vendors, freelancers, or other agents who utilize the College’s or personally-owned computers or devices to access the College’s technological environment. It applies to all equipment owned or leased by the College as well as personally-owned devices that contain College Confidential and Sensitive Information (CSI) related to College business.  

Definitions of Terms Referenced

  1. Clients: any College employee, student worker, contractor, vendor, freelancer, or other agents who utilize the College’s or personally-owned device to access the College’s technological environment
  2. Demilitarized zone (DMZ): An area of an organization’s network, with limited access to the internal network, which contains resources accessible to the public (i.e. an organization’s web server, a webmail server)
  3. Electronically stored information: (hereinafter termed “ESI”) refers to any type of information that is stored electronically on premises or in the cloud.
  4. Internet: the worldwide computer network available through any Internet Service Provider (ISP) through which one can search for information, send electronic mail (e-mail), etc.
  5. Intranet (my.elgin)/AccessECC Portal/VPN: an internal information network available only through devices internal to the College or with proper authentication.
  6. Malware: a general term for any malicious software that interferes with a device’s intended function by secretly gathering information about the user or organization and sending the personal data to unauthorized parties over the Internet (i.e. Trojans, spyware). Malware may allow unauthorized parties full or partial control over a device’s operation to conduct malicious activities without the user’s knowledge.
  7. Technological environment: all computer hardware (cables, computers, servers, storage media, printers, wireless access points, cell phones, digital displays, surveillance cameras,  etc.), software, resources within the College’s internal network, external web servers, webmail servers, and the public network (Internet access, network accounts, e-mail addresses) and all data transferred within these interconnected devices within College facilities for storage, retrieval and sharing of electronic information.

Network Resource Usage – Internet, E-mail & Other ESI

Access to and use of the College’s technological environment is provided to employees, students, and other Clients of the College. This access imposes certain responsibilities and obligations on employees and other Clients accessing the College’s technological environment and is subject to College policies and local, state, and federal laws.

All data, e-mail, e-mail attachments, documents, and other electronically stored information (ESI) within the network/e-mail system or in the cloud are the property of the College. While the College's Information Technology staff desires to provide a reasonable level of privacy, users should be aware that we cannot guarantee the confidentiality of the information stored on any network device belonging to the College. The College, acting through Information Technology, managers, and supervisors, has the capability and the right to view data and e-mail at any time when deemed necessary for business purposes. This Administrative Procedure does not supersede any state or federal laws regarding privacy, confidentiality, and appropriate use. Information Technology currently backs up data that is located on servers, network file shares, and within individual users’ “My Documents” and “Desktop” folders. Data stored on local drives (c:, d:, or other removable media)  are not currently backed up. Files in these locations are not recoverable if there is an incident. Acceptable use is defined as that which is lawful, ethical, and reflects honesty and respect for others. Clients may be subject to limitations on their use of the technological environment as determined by the appropriate supervising authority. In addition, archival and backup copies of ESI may exist despite end-user deletion.  The goals of these backup and archiving procedures are to ensure system reliability, prevent business data loss, meet regulatory and litigation needs, and provide business intelligence. Backup copies exist primarily to restore service in case of failure. Archival copies are designed for quick and accurate access by company delegates for a variety of management and legal needs. See Administrative Procedure 3.102 entitled “Records Retention and Disposal”.

Securing Our Electronically Stored Information

  1. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. User-level passwords should be changed every 180 days and should comply with Administrative Procedure 7.102 entitled “Password Policy".

  2. All applications, desktops, laptops, and workstations should be secured with a password protected screensaver with the automatic activation feature set at 15 minutes and by either locking the device or logging off when the device will be unattended.

  3. Before the installation of any software, expressed written approval must be given by ECC Information Technology personnel. Once written approval has been given, the installation must be conducted by ECC Information Technology personnel and a Helpdesk ticket must be logged. 

  4. Information contained on portable computers is especially vulnerable, and therefore special care should be exercised. 

  5. All devices used by the employee or student that are connected to the College resources shall be continually executing approved virus-scanning software with a current virus database.

  6. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, ransomware code, e-mail bombs, or Trojan horse code.

  7. Servers, critical systems, and critical applications will require the use of Multi-Factor Authentication (MFA) for access either on or off campus. The Chief Information Officer will decide or delegate to the Managing Director of Network & Information Security Operations the authority to determine which systems should utilize MFA.

Unacceptable Usage of the College’s Technological Environment

The following activities are, in general, prohibited. Information Technology employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may need to run network monitoring tools to ensure smooth network operation and security scanners to ensure vulnerabilities are remediated). Under no circumstances is an employee to engage in any activity that is illegal under local, state, federal, or international law while utilizing College-owned resources.  

The list below is not exhaustive but attempts to provide a framework for activities that fall into the category of unacceptable use.  

The following activities are prohibited:

  1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use in the College’s technological environment.
  2. Unauthorized copying or downloading of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the College or the end-user does not have an active license are strictly prohibited. 
  3. Introduction of malicious programs into the network or server, either knowingly or unknowingly (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  4. Revealing your account password to others or allowing the use of your account by others.  This includes family and other household members.
  5. Use of the College’s technological environment to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
  6. Effecting security breaches or disruptions of network communication.  Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access unless these duties are within the scope of regular duties.  For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  7. Port scanning and security scanning are expressly prohibited unless these duties are within the scope of regular duties. These duties are possessed only by members of the College’s Information Technology department.
  8. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal responsibilities. These duties are possessed only by members of the College’s Information Technology department.
  9. Circumventing user authentication or security of any host, network, or account.  
  10. Creating new users accounts or modifying the rights granted to any user account. 
  11. Interfering with or denying service to any user other than the employee's host (e.g., denial of service attack).
  12. Using any program, script, or command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet or Intranet.
  13. Sending or receiving harassing, threatening, abusive, or annoying communications regarding age, gender, sexual orientation, race, religion, political orientation, national origin, or disability.
  14. Usage of technological resources for profane and/or accessing pornographic content.
  15. Providing network access to any unauthorized person or system.
  16. Usage of the College’s technological resources for unauthorized activities for another organization.

This policy was last reviewed on 08/31/2023.

Print Page