Policy Name: Acceptable and Responsible Use of OCC Technology and Information Systems
Responsibility for Maintenance: Information Technology Services
Date of Most Recent Changes: September 19, 2018
I. Policy Statement
Onondaga Community College (OCC) offers
students and employees a broad range of technology and information services. In
order to maintain systems that effectively serve and
support the campus community, and comply with privacy laws and regulations, OCC manages and
maintains the use of information technology to ensure that they are protected, reliable and accessible.
OCC technologies and equipment issued to employees
for the performance of their jobs are the property of OCC.
All technology-related purchases must be reviewed and approved by ITS, including but not limited to: software, hardware, internal and external "cloud" services, hosting arrangements and participation in any IT pilot programs. Third-party and vendor-supplied computing devices intended to be connected to the OCC network must first be reviewed and approved by ITS and have the appropriate security controls installed. Software that requires integration with OCC information systems must be assessed and approved by ITS.
Personally-owned devices may connect to the OCC wireless network. Although OCC does not provide technical support for personal technology, guidelines and advice are available. See Policy J8 for acceptable security standards for personally owned devices. http://employees.sunyocc.edu/index.aspx?id=22176
II. Reason for Policy
implemented this policy in order to appropriately manage, operate, maintain,
and monitor the use of its information technology and systems to ensure that
secure and well operating systems are available to the campus community and remain in compliance with laws and regulations.
III. Applicability of the Policy
policy applies to all students, faculty, staff, contractors, visitors, third-party providers and others who have access to college information and who are
authorized by the college to use OCC's information technology. Such authorized users are responsible for knowing the procedures
and regulations of OCC that apply to this policy,
exercising good judgment in and the appropriate use of the college’s technology and information systems.
IV. Related Documents
| Subject || Office Name || Title or Position || Telephone Number || Email/URL |
| Entire Policy || Information Technology Services ||Vice President & Chief Information Officer || (315) 498-2717 || firstname.lastname@example.org |
Responsibilities. OCC's employees have varied access to a range of technology and information systems, some of which contain sensitive
data. Consequently, it is
important for users to behave in a responsible, ethical, and legal manner and protect the confidentiality of individual's information that is entrusted to OCC.
Given the evolving nature of cyber-attacks and threats, all OCC employees are required to participate in annual Cyber Security Awareness training.
OCC students and employees are responsible for the appropriate use of OCC's information technology, including, but not limited to, the following:
All users are required to comply with all applicable OCC policies, procedures, standards, guidelines and municipal, state,
and federal laws, rules, and regulations including the Gramm-Leach-Bliley Act (P.L. 106-102) and the Federal Trade Commission's Safeguards Rule (16 CFR Part 314).
- Authorized Use.
Users are permitted to use only those technology resources for
which authorization has been obtained and are required to use those
resources and tools only in the manner and to the extent authorized. The
authorized use of OCC technology and information systems is
restricted to work activities specifically. OCC employees are encouraged to conduct personal business with their own personal technologies.
- Statement of Responsibility. Any employee
who is assigned to work with access to the OCC technology and information
systems is required to complete a Statement of Responsibility form prior
to being authorized for use.
to Administrative Data. Access to administrative data by student workers is highly restrictive and
limited. Supervisors may decide
what portions of administrative data their student employees should have
access to. Such access should be
allowed only when staff members of the department are present to supervise
the student employee and a Student Aide Computer Access Form has been completed and approved. In addition, OCC is bound by its contractual and license agreements
respecting certain third party resources; users are expected to comply
with all such agreements when using such resources.
Users are expected to protect and maintain the confidentiality and
integrity of information obtained by access to OCC technology and information systems. Employees granting approval for access or directly accessing
restricted or private information shall be aware of their obligations regarding the protection and responsibilities of accessing such
data. Those authorized to access restricted or private data should only do so
when performing activities and responsibilities required of their position. Access to restricted and private data may only be granted to individuals where a
business need exists and the individual has appropriate
authorization in OCC information systems. Those authorized to grant or revoke access to restricted or private data are
responsible for ensuring that access is appropriately assigned, modified as needed and cancelled promptly when individuals transfer to other positions or leave the college. Employees should not save, store or share confidential or
sensitive data on personally owned devices, nor store data in online services assigned to them personally and not under contract with OCC.
Access to OCC’s technology and information systems is
strictly controlled by the use of a user name and password to protect privacy
and comply with federal law. OCC accounts and passwords are assigned
to one individual and should be used by only that person. Users are expected to protect all passwords
and accounts from unauthorized access. The owner of the account is responsible for keeping the account
password private and secure and for all activity that takes place on their
account, whether intentional or unintentional. Unauthorized or illegal activity should
be reported to the ITS Help Desk. If an account is shared or password is
given out, the holder of the account may lose all account privileges
and be held personally responsible for any actions that arise from misuse
of the account.
- College Property.
College property, including computers, software, peripherals, telephones,
and related equipment and supplies, is not to be moved within the college or removed from the premises
without written advance permission from the Administrative Department
Head, Department Chair, or an authorized supervisor. The Computing Move-Add-Change Request Form must be completed to facilitate internal moves of computing units.
Any user who violates this or other OCC policies,
procedures, contractual obligations, or applicable state or federal laws, is
subject to appropriate disciplinary and legal action, including, but not
limited to, the limitation or denial of access to OCC’s network and systems. Violators may also
be subject to disciplinary action, up to and including termination.
- Improper Behavior.
Improper use of OCC’s information systems is
prohibited. The following are additional examples of improper and
Activity. Use of OCC technology and information systems prohibits the storage, transmission, access and printing of anything that
contains illegal content or files, that infringes upon the rights of another
person or entity, that contains sexually offensive or inappropriate information
and/or graphic material (see Policy N4 Display of Pornographic Material), that consists of any advertisements for commercial
enterprises, or that consists of information that may injure someone else
and/or lead to a lawsuit or criminal charges.
b. Downloading and Uploading. Downloading, uploading, distributing, or running any file or program
that has the potential to damage files, networks, servers, or computers; or for
the purpose of eavesdropping on others’ communications; or if the user is not
licensed or does not have the appropriate permission of the owner of the file
to download such file. Users are prohibited from downloading, or running any
data or programs without prior approval and without a demonstrated business
need, including file sharing software, music, games, videos, chat services,
peer-to-peer software and any non-business related software or data.
Use/Access. Gaining or attempting to gain
unauthorized access to OCC computing resources including remote computers or
another user’s electronic communications, files or software without the
permission of the owner, including, but not limited to, violations of software
and other licenses, accessing computing resources that they are unauthorized to
use and access via unapproved protocols. Actions that give simulated sign off messages,
public announcements, or other fraudulent system responses. Having or changing
system control information such as, program status, protection codes, and
accounting information especially when used to defraud others, obtain
passwords, gain access to and/or copy another's electronic communications, or
otherwise interfere with or destroy their work.
d. Harassment. Harassing others by sending annoying, abusive, profane,
threatening, defamatory or offensive messages. Some examples include: obscene,
threatening, or repeated unnecessary messages; sexually, ethnically, racially,
or religiously offensive messages; continuing to send messages after a request
Sabotage. Intentionally destroying anything
stored on the computer system or communications networks. Deliberately
performing any act that will seriously impact the operation of the information systems and communications networks.
Use of Data. Data created and maintained by
OCC, or acquired from outside sources, are vital assets
of OCC. Administrative, research, and other data may be
subject to a variety of use restrictions.
Spyware, etc. Running or installing on the
computer systems, including accessing potentially destructive files either knowingly or unknowingly, or giving to another a program or file that could result in
the eventual damage to a file or the computer systems and communications
networks, and/or the reproduction of itself. This is directed towards, but not
limited to, the classes of programs known as computer viruses, trojan horses, worms,
10. Abuse: Abuse of OCC's computing systems
include, but are not limited to, the following, and will not be tolerated under
or Breaching Security. Attempting
to circumvent data protection schemes, uncover security loopholes or attempt to
gain access to resources that are not properly authorized. It is strictly
forbidden to attempt to circumvent any of OCC's security
measures. Hacking and password grabbing are also strictly prohibited. Accounts, passwords, and other authentication
mechanisms, may not, under any circumstances, be shared with, or used by,
persons other than those to whom they have been assigned by the college.
Commercial Purposes. Users are prohibited from using
OCC's information systems and communications networks for
personal and/or financial gain.
Resources. Performing acts that are wasteful
of computing resources or large attachments to many users or that unfairly monopolize resources to the exclusion
of others. These acts include, but are not limited to, creating unnecessary multiple jobs or processes, generating
unnecessary or excessive output, accessing and/or printing inappropriate
material, printing or creating unnecessary network traffic; or using printers
as copy machines (i.e., printing multiple copies of, documents, papers, flyers,
etc.). The Duplicating Department should be used for all large print jobs and
manuals, where more cost effective double sided copying can be achieved.
d. False or
Misleading Email Address. Using a
misleading or false email return address.
Email. Users are prohibited from sending
unsolicited commercial email messages or from sending any email messages “en
masse” to persons not known.
Use: Use of the computing systems and
communications networks, if such use interferes with academic or business use.
11. Monitoring, Access, Disclosure. Users should not expect email privacy or privacy in other
electronic communications when connected to OCC’s information systems and communications networks. While OCC does not generally monitor or access email, files, and other
information transmitted via or stored on OCC's information
systems and communications networks, it does monitor, access,
review and disclose such information where appropriate and to proactively
prevent data security breaches and unauthorized activity. Without limiting the generality of the
foregoing or the discretion of OCC in determining
when appropriate circumstances exist, appropriate circumstances include:
investigating information systems and communications networks performance and
system problems; investigating IT security incidents; disconnecting personal and college-owned equipment and user credentials; determining if an
individual is in violation of this policy; to ensure that OCC is not subject to claims of institutional misconduct; to
investigate possible misuse of OCC resources,
violation of law or regulations, or violation of OCC policies and procedures; (ii) in connection with academic,
disciplinary, or administrative inquiries; in connection with legal
proceedings; for purposes related to OCC business;
and as otherwise permitted by law. OCC has the
authority to access and inspect the contents of any college equipment,
files or email on its systems. OCC may restrict or filter access to
specific services or protocols for technical, security, policy, or legal
reasons. Users accessing or
attempting to access services not offered by OCC, either intentionally or
unintentionally, may be subject to disciplinary or legal action. Access to
files on college-owned equipment will only be approved by specific
personnel when there is a valid reason to access those files. Authority to
access user files can only come from the Vice President & Chief Information Officer in
conjunction with the Vice President to whom the user reports (or the
President if the subject of investigation is a Vice President and/or the
Vice President of Human Resources or designee). OCC
General Counsel may be consulted if deemed necessary. External law
enforcement agencies may request access to files through valid subpoenas
and other legally binding requests. All such requests must be approved by
the college President. Information obtained in this
manner can be admissible in legal proceedings or in a college hearing.
12. Physical and Environmental Security. OCC provides
reasonable security measures against intrusion and damage to files. Information
processing and storage facilities for critical information should be
located in areas with controls for accessing the facilities. These
physical security mechanisms are intended to protect the facilities from
unauthorized access, damage or interference and should be periodically
reviewed to insure such protection. The ITS Data Center is strictly controlled
and only available to authorized personnel who have a need to transact
specific college computer-related business within ITS. Automated controls requiring
re-authentication are implemented to protect computing devices from
unauthorized use. When employees leave the work area, the screen must be
cleared and the computer locked and logged off from all
administrative systems, applications and networks. Hard copy administrative data obtained
from the administrative systems and applications must be carefully protected, especially those that contain restricted administrative data. Provisions must be made for the secure
disposal of this administrative data.
Development and Maintenance. Security
issues must be identified during the requirements phase of any project and
must be agreed upon and documented as part of any project plan or new
14. Third Party Service Providers. Third party service provider contracts
must be reviewed to ensure providers are capable of maintaining appropriate
information security measures including a documented Information Security
and cyber liability insurance coverage that is consistent with applicable OCC policies, procedures,
standards, guidelines; and municipal, state, and federal laws, rules, and
regulations. Third party service providers are required to complete OCC's Third Party Vendor Assessment Questionnaire that must be reviewed and approved by ITS prior to the execution of any contract or agreement for software, hosting, or other technology related services. Access to OCC computing resources by third parties, including contractors and vendors, is temporary in nature and must be requested through the use of the Provisional Computer Access Request Form; such users are expected to be aware of and comply with the provisions of this policy.
VII. Administrative Data Stewards
Access to administrative data and
information systems is determined by an employee’s job duties and is limited to
the extent necessary for employees to perform the responsibilities of their position. Administrative Data Stewards are the
individuals and departments with the responsibility and authority for establishing
and maintaining appropriate security measures for the data within their jurisdiction.
Administrative Data Stewards make decisions regarding controls, access privileges
of users and determining the appropriate level of access (view, update,
etc.). Administrative Data Stewards are
responsible for ensuring that an appropriate user management process is
implemented for third parties who may need access to OCC administrative data
and information systems including validation of the identity of the user, scope
of access and timely notification when access is no longer needed.
The Administrative Data Owners include
those with executive level responsibility within the college administration
- Admissions records
- Academic records
- Student records
- Financial Aid
- Student Accounts
- Human Resources
- Alumni & Donor
- Institutional Planning, Assessment & Research
- Information Technology Services (CORE data and network system information)
Administrative Data Stewards are
responsible for ensuring that individuals with access to administrative data
- particularly data classified as RESTRICTED and PRIVATE - are aware of the confidential nature of the information and the limitations, in
terms of disclosure, that apply to the data. When accessing restricted
or private information, employees are responsible for maintaining its
confidentiality. The Human Resources office is responsible for notifying ITS when an employee is separated from the college. Upon notification from Human Resources, ITS
handles changes to the employee account credentials and terminates access as
directed. This standard procedure serves
to protect the employee, administrative computing systems, applications and
networks against possible tampering. Supervisors
are responsible for notifying ITS of a change to an employee’s
job functions so that access rights are adjusted accordingly. The
individual departments of the college are responsible for training their
employees on the operational and appropriate use of administrative data systems
including appropriate handling of restricted and private data.
VIII. IT Security
Incidents, New York Information Breach & Notification Requirements
The college uses reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" (General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains, or transmits to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic private information. The college agrees to fully disclose to the ISBNA, and any other applicable law, any breach of the security of a system following discovery or notification of the breach in the system to any resident of New York State whose private information was, or is reasonably believed to have been acquired, without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible. In the event of a security incident, OCC has an obligation to notify individuals whose private information has been or may have been compromised. In such an instance, OCC will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA.
incidents generally defined as: 1) any event involving OCC information technology or systems that is suspected or determined to a) violate
applicable state or federal law or regulation; b) be harmful to the security or
privacy of OCC computer systems, communications
networks, OCC information, or the general public; c) be
otherwise harmful to OCC information sytems and/or communications
networks; or d) cause unexpected disruption to OCC
computer systems and/or communications networks; or 2) any inquiry requests in
connection with academic, disciplinary, or administrative investigations. An IT
security incident that impacts regulated data (e.g., student information,
personal health information, SSN’s) or sensitive OCC
data (e.g., business contracts) will be considered a Critical Incident.
- IT Security Incidents. IT security incident response procedures are
intended to protect OCC’s information technology,
including information resources, from future unauthorized access, use or
damage, and to mitigate the impact of the IT security incident. These
procedures will also be followed in connection with academic, disciplinary
or administrative inquiries.
- IT Security Incident Response Team. ITS, in consultation with the college's executive team and President, is responsible for coordinating the handling of IT
security incidents, and related duties, such as alerting the campus to
attacks. The response to IT security incidents involves both technical and
management personnel that are properly positioned to represent key IT and
business interests. Oversight of the response to IT security incidents is
the responsibility of the Vice President & Chief Information Officer.
- Reporting and Detection of IT Security Incidents. Any member of the OCC campus
community may request investigation of a suspected IT security incident
from ITS. ITS itself might detect IT security
incidents. ITS will take appropriate steps to track, investigate, and
resolve reported or detected IT security incidents and report the outcome
to the appropriate parties. Critical IT security incidents must be
promptly reported to ITS. Departments and individuals are
encouraged to report all IT security incidents to help improve the
tracking of trends and threats.
- Assessment and Escalation. OCC has the authority to access,
inspect, and disclose the contents of any college equipment, files or
email on its systems. Access to files on college owned equipment will only
be approved by specific personnel when there is a valid reason to access
those files. If it is necessary to access user files, authority must be
obtained from the Vice President and Chief Information Officer and the Vice President to whom
the user reports (or the President if the subject of investigation is a
Vice President and/or Vice President of Human Resources or designee). OCC General Counsel will be consulted if deemed necessary.
- IT Authority and Actions. For critical IT security incidents, ITS management will
have authority to involve legal entities, to disconnect or shut down part
or all of the campus IT infrastructure, and to direct other campus IT
personnel to take specific actions. For non-critical IT security
incidents, ITS may disconnect individual systems, as needed, but will work
with user areas to balance disruptions against the security risks.
- Reporting, Documentation, and Communication. ITS maintains records of reported or detected IT
security incidents and strives to communicate important security
information to the campus community. In the event of an actual Critical IT
Security Incident, IT will ensure timely notification to campus
leadership, including the campus President and SUNY System Administration
officials as appropriate. ITS
plays a leadership role in conducting cyber security awareness
activities and in proactively educating the campus community regarding appropriate
security procedures to minimize risk and prevent data security issues.
Approved by OCC Board of Trustees
April 3, 2006
Updated and approved by the
President January 31, 2011
Updated and approved by the
President April 14, 2014
Updated and approved by the
President June 15, 2015
Updated and approved by the President April 3, 2017
Updated and approved by the President September 22, 2017
Updated and approved by the President October 16, 2017
Updated and approved by the President September 19, 2018