1. Introduction:
College-owned or operated Information Technology (IT) systems and resources are provided for use by faculty, students and staff of Chattanooga State Community College. This document constitutes the policy for the management of all IT resources. This policy is intended to be an addition to existing college policies and regulations and does not alter or modify any existing College policy or regulation.
2. Purpose:
To establish guidelines for college-owned or operated computer hardware and software, computer network access and usage, Internet and email usage, telephony, security and privacy of data. This document is to inform all users of the policies set forth by the College, in compliance with the Tennessee Board of Regents, the State of Tennessee, and the Federal government.
3. Scope:
This policy applies to all users of IT systems and resources and it applies to the use of use of all IT systems and resources. Additional requirements and procedures may be required for the authorized use of specific college computing laboratories. Any additional requirements or procedures will be posted in the respective laboratories. Use of IT systems and resources, even when carried out on a privately owned computer that is not managed or maintained by ChSCC, is governed by this policy.
4. Definitions:
4.1.
IT systems and resources - are the computers, terminals, printers, networks, modems, facilities, online and offline storage media and related equipment, software, and data files that are owned, managed or maintained by Computer Services (CS), as well as those administered by individual departments, laboratories, and other College-base entities.
4.2.
Least Privilege – all required access to privacy/confidential data will be granted at the lowest level of access that will still allow the individual to do their job.
4.3.
User - a “User” is any person, including but not limited to students, faculty, and staff, whether authorized or not, who makes any use of any IT resource or system from any location.
4.4.
System Owner – that individual that is responsible for the data contained within a particular system. The system owner grants individual access to the systems and/or data that they are responsible for, based on the principle of “least privilege.”
4.5.
Systems Administrator - system administrators oversee the day-to-day operation of the system and are authorized to work with data owners to determine who is permitted access to the particular IT systems and resources for which they are responsible. System administrators, due to the nature of their jobs, have access to the data contained upon the systems they maintain; however, least privilege is instituted.
5. Rights & Responsibilities:
The rights of academic freedom and freedom of expression apply to the use of the ChSCC’s IT systems and resources. So too, however, do the responsibilities and limitations associated with those rights. ChSCC makes available computing facilities consisting of hardware, software, accounts and communication activities. The use of IT systems and resources, like the use of other College-provided resources and activities, is subject to the requirements of legal and ethical behavior. The use of these resources must comply with ChSCC policy and applicable Federal and State Law. Such electronically available information (1) may not contain copyrighted material or software unless the permission of the copyright owner has been obtained, (2) may not violate College policy prohibiting sexual harassment, (3) may not be used for commercial purposes, (4) should not appear to represent ChSCC without appropriate permission, or to represent others, (5) may not appear to represent other organizations or companies, (6) may not contain material which violates pornography laws, and (7) may not contain scripts or code that could cause a security breach or permit use of resources in opposition to CS or College policy. ChSCC accepts no responsibility for any loss of data or damage to data or services arising directly or indirectly from the use of these facilities or for any consequential loss or damage. The College makes no warranty, express or implied, regarding the IT systems and resources offered or their fitness for any particular purpose.
5.1.
ChSCC reserves the right to disconnect client machines where illegal or potentially damaging software is found to exist. A client machine may also be disconnected if the client’s activity adversely affects the network’s performance.
5.2.
The distribution and display of obscene materials is prohibited by the laws of the State of Tennessee (see Tenn. Code Ann. 39-17-902).
5.3.
Gambling, including that performed with the aid of the Internet, is prohibited under Tennessee state law (see Tenn. Code Ann. § 39-17-502).
6. Copyright:
College staff, faculty and students will abide by the policies set forth by the College in compliance with the Tennessee Board of Regent’s policies, and the laws of the state of Tennessee and the Federal government. Federal law gives the holder of copyright five exclusive rights, including the right to exclude others from reproducing the copyrighted work.
6.1.
Materials published on the ChSCC site is protected by the Digital Millennium Copyright Act. The DMCA also requires that ChSCC inform all computer and network users that downloading of copyrighted material is prohibited. In addition, Tennessee Code Annotated §49-7-1(c) specifies that the college ensure that no copyrighted digital music or videos be downloaded using ChSCC resources. Any attempts to do so will result in appropriate disciplinary actions (see Section 13.)
6.2.
Peer-to-Peer (P2P) File Sharing software/applications, such as BitTorrent, are not permitted at ChSCC as not only can they be used to download music/media/etc., in violation of copyright laws, but they can also negatively impact network load and provide a conduit for viruses. For business needs that requirement this type of software/applications, please submit an on-line work order to CS containing the business justification.
7. Access:
In accordance with State of Tennessee and TBR 1:08:00:00 all access to the College’s computer systems must be approved; approvals may require displaying of proper identification or completion of forms when requested. Access to departmental computer systems must be approved by the dean or the representative and be based on policy of least privilege. Approval requirement may vary depending upon the system. Minimum annual reviews of granted accesses are required.
7.1.
To protect network systems and sensitive data accessed through network systems, only college-owned or college-approved equipment may be attached to the College computer network via hardwire connections. All laptops whether personal or college-owned are to connect only through the campus wireless network and not through hardwire connections. All vendor default settings must be checked and removed as necessary, before anything is connected to the network. Computer Services Network Services need to be notified on any addition to the network, before it is connected to the network. Failure to do so will result in the removal from the network and possibly disciplinary action.
7.2.
Regular faculty and staff, temporary faculty and staff, and students who are registered for classes and have paid fees for the current semester are considered eligible for computer accounts. Accounts for students are automatically set-up following registration. Nonpayment of fees or withdrawal from classes will result in forfeiture of a student-user account.
7.3.
The College recognizes the importance of preserving the privacy of users and data stored in IT systems and resources. Users must honor this principle by neither seeking to obtain unauthorized access to IT systems and resources nor continued use of an account after the student enrollment or faculty/staff employment ends. Accounts will be disabled immediately upon provided employment ending date.
7.4.
No circumvention of any network limitation is permitted. This means no “outside” device, unless approved by Network Services, is allowed to be attached, wired or wireless, or to interfere with, any part of the ChSCC network. In order to receive Network Services approval, any device that is allowed on the network, that can have virus protection installed, will have current and regular updated virus protection installed and used as part of the standard security protection, before it is in production.
7.5.
ChSCC is not responsible for any damage or malfunction to unapproved equipment being used or inserted into any ChSCC network (or phone) port. Each port is configured for the specific device type being used. A different device plugged into a given port may be damaged, or worse, cause damage to the network equipment servicing that port. If additional network features or function are required submit a work order request to Network Systems for evaluation and cost analysis.
8. Security:
Security is everyone’s job at ChSCC and users are responsible for maintaining the security of their own IT systems and resources accounts and passwords. The following basic security rules are not meant to be all inclusive of the necessary security vigilance that is required in today’s computing environment.
8.1.
In accordance with State requirements, all systems and devices owned and operated by or on behalf of ChSCC must display the approved security logon banner before the user logs in. (See Attachment 1)
8.2.
Allowing friends, family, co-workers and/or vendors to use accounts, either locally or through the Internet, is a serious violation of these guidelines. Passwords are the most basic security protection. IT passwords must meet the required password guidelines established in the ChSCC Password Security Policy.
8.3.
All accounts used by vendors for remote maintenance will be handled through the CS work order system for both enabling and disabling these accounts. Accounts will only be enabled during the time needed and only for what access is needed to perform the work. Reviews of all connections will be done on a regular basis to ensure accounts are opened and closed as needed.
8.4.
Users will not attempt to circumvent security, to use knowledge of loopholes in computer system security or unauthorized knowledge of a password to damage any computing systems, to obtain extra computing resources, to take resources from another user or to gain access to unauthorized systems, either on or off campus.
8.4. Data Security:
Institutional data is information that supports the mission and operation of ChSCC. It is a vital asset and is owned by the College. Some institutional data may be distributed across multiple departments within the College, as well as outside entities, while other types of data have to be closely protected due to legal requirements. Institutional data is considered essential, and must comply with legal, regulatory, and administrative requirements. All data required by law to be protected from nondisclosure, unauthorized use, modification, or destruction under FERPA’s designation of Personally Identifiable Information (PII), Red Flag or PCI designations shall be protected from unauthorized use, modification or destruction.
8.5. Mobile Security:
Users of mobile computing platforms, including but not limited to laptops, handheld devices, and portable storage media, shall take every precaution to protect such platforms from theft or loss of data by any means.
8.6. PII Access:
Only when it is absolutely necessary to perform specific job related duties shall computing platforms, mobile or stationary, store PII assets. In all cases, PII assets must have approval from the asset custodian for such storage and shall be encrypted while stored on mobile and stationary computing platforms/devices.
8.7.
With Banner ‘A’ numbers being used as personal identifiers; computing platforms should not contain social security numbers. If an application requires the use of social security numbers, it must be identified in the risk assessment process and appropriate controls put in place. Losses of institutional assets or other IT resources, no matter the format the data resides in, must be reported immediately in accordance with the College’s Computer Services Security Incident Response (CSSIR) policy.
9. Ethical Behavior and Rights:
The College by its very nature values openness and promotes access to a wide range of information. The use of computers, computer-based networks, and electronic information is essential for research, instruction and administration within the academic community. Respect for the work and rights of others are especially important in this environment. Any intentional misbehavior with respect to the electronic environment of the College or members of the College community will be regarded as unethical and may lead to disciplinary action in accordance with College policy as outlined in the student and employee handbooks.
10. E-Mail:
Electronic records sent, received, or stored on computers owned, leased, or administered by the College are the property of ChSCC. As the property of ChSCC, the content of such records, including electronic mail, is subject to inspection by College personnel, as required. While the College does not routinely do so, the College is able and reserves the right to monitor and/or log all network activity of users without notice, including all e-mail and Internet communications. Users should have no reasonable expectation of privacy in the use of these resources.
11. Disclosure of Electronic Records:
Pursuant to the Tennessee Code Annotated, Title 10, Chapter 7, and subject to exemptions contained therein, electronic files (including e-mail correspondence) which are, generated/ received by Chattanooga State employees and owned/controlled by the State or maintained using ChSCC IT systems and resources may be subject to public inspection upon request by a citizen of the State of Tennessee. ChSCC personnel receiving such a request for public inspection should refer the request to the President or Director of their Organization (or to the President’s or Director’s designee.) Institutions may charge reasonable fees for making copies of such records, pursuant to T.C.A. § 10-7-506.
12. Retention of Electronic Records
Electronic records needed to support College functions must be retained, managed, and made accessible in record keeping or filing systems in accordance with established records disposition authorization. Each employee, with the assistance of his or her supervisor as needed, is responsible for ascertaining the disposition requirements for those electronic records in his or her custody. To ensure that all record retention requirements are met, individuals should review TBR Guideline G-070, Disposal of Records.
13. Sanctions
Violations of this policy shall subject users to the regular disciplinary processes and procedures of the College for students, staff, administrators, and faculty and may result in loss of their computing privileges. Illegal acts involving ChSCC computing resources may also subject violators to prosecution by local, state, and/or federal authorities. Sanctions for violation of copyright can be very substantial. Beyond the threat of legally imposed sanctions, violation of copyright is an unethical appropriation of the fruits of another’s labo
References:
1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008
2. Tennessee Code Ann. 39-17-902
3. Digital Millennium Copyright Act.
4. Tennessee Code Annotated §49-7-1(c) Tennessee Code Annotated, Title 10, Chapter 7, 506
5. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00
6. Family Educational Rights and Privacy Act (FERPA)
7. ChSCC Library Acceptable Use of Electronic Resources
8. Payment Card Industry (PCI) Compliance, 07/01/2001 9.Tennessee Board of Regents (TBR) Policy 4:01:05:06 10. Tennessee Board of Regents TBR Guideline B-80 11. Tennessee Board of Regents TBR Guideline B-070
Approved:
President’s Cabinet, 02/1/2012
Approved:
Dr James L. Catanzaro, President, 05/7/2012
Implemented by: Computer Services, 1/7/2005
Reviewed and Revised by: Computer Services, 9/30/08 Rev 1
Reviewed and Revised by: Computer Services, 3/27/09 Rev 2 Reviewed and Revised by: Computer Services, 12/1/2011 Rev 3
Attachment 1:
Chattanooga State Security Warning Banner This system is for use by authorized users only. Individuals accessing this system without authority or in excess of their authority are in violation of Federal and/or State laws, regulations and policies and may be subject to criminal, civil and/or administrative actions. Any information, including personal information, on this computer system may be intercepted, recorded, read, copied and disclosed by and to authorized personnel for administrative purposes, including criminal investigations. Anyone using this system expressly consents to such monitoring and SHOULD HAVE NO EXPECTATION OF PRIVACY for any information stored or communicated in or through this system.