Crest for Policies 

Policy J1
Policy Name: Acceptable and Responsible Use of Computing Technology
Responsibility for Maintenance: Information Technology

Date of Most Recent Changes: October 16, 2017

I. Policy Statement 

Onondaga Community College offers students and employees the use of a broad range of computing technology. In order to maintain computing technology systems that effectively serve and support the campus community, Onondaga Community College manages, maintains and monitors the use of its technology and responds to reported or detected IT security incidents. All materials, supplies and equipment issued to or used by employees for the performance of their jobs are considered the property of Onondaga Community College. Onondaga Community College does not provide technical support for the use of personally owned equipment or software. The authorized use of Onondaga Community College's computing technology by students, faculty, staff, and authorized visitors shall be consistent with this policy.

Regardless of funding source and resource requirements, all technology related purchases must be reviewed and approved by IT, including but not limited to: software, hardware, internal and external services, hosting arrangements and participation in any technology related beta or pilot program. Third party and vendor supplied computing devices intended to be connected to the OCC network must first be reviewed and approved by the IT Department and have the appropriate security controls installed. Software that requires integration with OCC information systems must be assessed and approved by the IT Department.

Personally owned devices connected to the OCC network either directly or via a network port, wirelessly by an access point, or by a wireless provider are the responsibilities of the owner of the device. This policy in all parts applies to personally owned devices connected to the OCC computer systems and communications network. Please see Policy J8 for acceptable security standards for personally owned devices. 

II. Reason for Policy 

Onondaga Community College has implemented this policy in order to appropriately manage, operate, maintain, and monitor the use of its computing technology systems and to ensure that secure and productive systems are available to the campus community.

III. Applicability of the Policy 

This policy applies to all students, faculty, staff, contractors, visitors, third party providers and others who have access to college information and who are authorized by Onondaga Community College to use Onondaga Community College’s computing technology. Such authorized users are responsible for knowing the procedures and regulations of Onondaga Community College that apply to this policy, exercising good judgment in and the appropriate use of the College’s computing technology. 

IV. Related Documents 

V. Contacts 

Subject  Office Name   Title or Position  Telephone Number  Email/URL 
Entire Policy Information Technology  Chief Information Officer  (315) 498-2183 

VI. Procedures 

User Responsibilities. Users of Onondaga Community College’s computing technology have access to valuable computing resources, sensitive data, and internal and external communications networks. Consequently, it is important for users to behave in a responsible, ethical, and legal manner. Users are required to participate in annual Cyber Security Awareness training. Failure to do so may result in the loss of computing access and credentials. Users are responsible at all times for the appropriate use of Onondaga Community College’s computing technology, including, but not limited to, the following:

  1. Compliance. All users are required to comply with all applicable Onondaga Community College policies, procedures, standards, guidelines and municipal, state, and federal laws, rules, and regulations including the Gramm-Leach-Bliley Act (P.L. 106-102) and the Federal Trade Commission's Safeguards Rule (16 CFR Part 314)..
  2. Authorized Use. Users are permitted to use only those computing technology resources for which authorization has been obtained and are required to use those resources and tools only in the manner and to the extent authorized. The authorized use of Onondaga Community College computing technology is restricted to work activities specifically, and is not authorized for personal use. The College is not responsible for retrieving or handling personal data that may be stored on college owned devices. Any employee who is assigned to work with access to the Onondaga Community College computing systems is required to complete a Statement of Responsibility form prior to being authorized for use. Access to administrative data by student workers is highly restrictive and limited. Supervisors may decide what portions of administrative data their student employees should have access to. Such access should be allowed only when staff members of the department are present to supervise the student employee and a Student Aide Computer Access Form has been completed and approved. In addition, Onondaga Community College is bound by its contractual and license agreements respecting certain third party resources; users are expected to comply with all such agreements when using such resources.
  3. Confidentiality. Users are expected to protect and maintain the confidentiality and integrity of information obtained by access to Onondaga Community College computing technology. Employees granting approval for access or directly accessing confidential data shall be aware of their obligations regarding such data. Those authorized to access confidential data should only do so when performing activities and responsibilities of their position. Access to confidential data may only be granted to individuals where a business need exists and the individual has appropriate authorization on College computing storage. Those authorized to access confidential data are responsible for properly storing and securing it. Those authorized to grant or revoke access to confidential data are responsible for ensuring that access is appropriately assigned, modified as needed and canceled promptly when individuals transfer to other positions or leave the college. Employees should not save, store or share confidential or sensitive data on personally owned devices. As previously noted, employees that receive, maintain, process or otherwise have access to confidential information are responsible for protecting confidential customer data in accordance with the Gramm-Leach-Bliley Act and the Federal Trade Commission's Safeguards Rule. 
  4. Copyright. In order to duplicate any copyrighted material, appropriate legal permission must first be obtained from the copyright holder. All software loaded onto Onondaga Community College owned computers must be properly licensed.  Faculty, staff and students are not permitted to load non-licensed computer software on to any College owned equipment.  
  5. Access. Access to Onondaga Community College’s computing technology systems is strictly controlled by the use of a user name and password to protect privacy and comply with federal law. Computer accounts and passwords are assigned to one individual and should be used by only that person. Users are expected to protect all passwords and accounts from unauthorized access.  The owner of the account is responsible for keeping the account password private and secure and for all activity that takes place on their account, whether intentional or unintentional. Unauthorized or illegal activity should be reported to the Information Technology Help Desk. If an account is shared or password is given out, the holder of the account may lose all account privileges and be held personally responsible for any actions that arise from misuse of the account.
  6. College Property. College property, including computers, software, peripherals, telephones, and related equipment and supplies, is not to be moved within the college or removed from the premises without written advance permission from the Administrative Department Head, Department Chair, or an authorized supervisor. The Computing Move-Add-Change Request Form must be completed to facilitate internal moves of computing units.
  7. Violations. Any user who violates this or other Onondaga Community College Policies, procedures, contractual obligations, or applicable state or federal laws, is subject to appropriate disciplinary and legal action, including, but not limited to, the limitation or denial of access to Onondaga Community College’s computer systems and communications networks. Violators may also be subject to disciplinary action, up to and including termination. Onondaga Community College reserves the right to revoke access to its computer systems and communications networks.
  8. Improper Behavior. Improper use of Onondaga Community College’s computing systems is prohibited. The following are additional examples of improper and prohibited use:

a. Illegal Activity. Storing, transmitting, accessing or printing via the computer systems and communications networks anything that contains illegal content or files, that infringes upon the rights of another person or entity, that contains sexually offensive or inappropriate information and/or graphic material, that consists of any advertisements for commercial enterprises, or that consists of information that may injure someone else and/or lead to a lawsuit or criminal charges.

b. Downloading. Downloading, uploading, distributing, or running any file or program that has the potential to damage files, networks, servers, or computers; or for the purpose of eavesdropping on others’ communications; or if the user is not licensed or does not have the appropriate permission of the owner of the file to download such file. Users are prohibited from downloading, or running any data or programs without prior approval and without a demonstrated business need, including file sharing software, music, games, videos, chat services, peer-to-peer software and any non-business related software or data.

c. Unauthorized Use/Access. Gaining or attempting to gain unauthorized access to OCC computing resources including remote computers or another user’s electronic communications, files or software without the permission of the owner, including, but not limited to, violations of software and other licenses, accessing computing resources that they are unauthorized to use and access via unapproved protocols. Actions that give simulated sign off messages, public announcements, or other fraudulent system responses. Having or changing system control information such as, program status, protection codes, and accounting information especially when used to defraud others, obtain passwords, gain access to and/or copy another's electronic communications, or otherwise interfere with or destroy their work.

d. Harassment. Harassing others by sending annoying, abusive, profane, threatening, defamatory or offensive messages. Some examples include: obscene, threatening, or repeated unnecessary messages; sexually, ethnically, racially, or religiously offensive messages; continuing to send messages after a request to stop; and procedures that hinder a computer session.

e. Destruction, Sabotage. Intentionally destroying anything stored on the computer system or communications networks. Deliberately performing any act that will seriously impact the operation of the computer systems and communications networks.

f. Theft/Unauthorized Use of Data. Data created and maintained by Onondaga Community College, or acquired from outside sources, are vital assets of Onondaga Community College. Administrative, research, and other data may be subject to a variety of use restrictions.

g. Program Theft. Unless specifically authorized, copying computer program(s) from the computer systems and communications networks.

h. Viruses, Spyware, etc. Running or installing on the computer systems, including accessing potentially destructive files either knowingly or unknowingly, or giving to another a program or file that could result in the eventual damage to a file or the computer systems and communications networks, and/or the reproduction of itself. This is directed towards, but not limited to, the classes of programs known as computer viruses, Trojan horses, worms, and malware.

i. Pornographic Materials. The public showing of or display of pornographic materials on the Onondaga Community College campus, or the manner that a third party would reasonably tend to associate with the College, is prohibited.

9. Abuse: Abuse of Onondaga Community College's computing systems include, but are not limited to, the following, and will not be tolerated under any circumstances:

a. Circumventing or Breaching Security. Attempting to circumvent data protection schemes, uncover security loopholes or attempt to gain access to resources that are not properly authorized. It is strictly forbidden to attempt to circumvent any of Onondaga Community College's security measures. Hacking and password grabbing are also strictly prohibited. Accounts, passwords, and other authentication mechanisms, may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the college.

b. Chain Letters. The propagation of chain letters is prohibited.

c. Flooding. Posting a message with the intention of reaching as many users as possible is prohibited.

d. Private Commercial Purposes. Users are prohibited from using Onondaga Community College's computer systems and communications networks for personal and/or financial gain.

e. Wasting Resources. Performing acts that are wasteful of computing resources or large attachments to many  users or that unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, creating unnecessary multiple jobs or processes, generating unnecessary or excessive output, accessing and/or printing inappropriate material, printing or creating unnecessary network traffic; or using printers as copy machines (i.e., printing multiple copies of, documents, papers, flyers, etc.). The Duplicating department should be used for all large print jobs and manuals, where more cost effective double sided copying can be done.

f. False or Misleading Email Address. Using a misleading or false email return address.

g. Unsolicited Email. Users are prohibited from sending unsolicited commercial email messages or from sending any email messages “en masse” to persons not known.

h. Recreational Use: Use of the computing systems and communications networks, if such use interferes with academic or business use. Public computing areas are designated for academic purposes.  

  1. Monitoring, Access, Disclosure. Users should not expect email privacy or privacy in other electronic communications when connected to Onondaga Community College’s computing systems and communications networks. While Onondaga Community College does not generally monitor or access email, files, and other information transmitted via or stored on the Onondaga Community College computing systems and communications networks, it does regularly monitor, access, review, and disclose such information where appropriate and to proactively prevent data security breaches and unauthorized activity. Without limiting the generality of the foregoing or the discretion of Onondaga Community College in determining when appropriate circumstances exist, appropriate circumstances include: investigating computer systems and communications networks performance and system problems; investigating IT Security Incidents; disconnecting personal and college-owned equipment and user credentials; determining if an individual is in violation of this policy; to ensure that Onondaga Community College is not subject to claims of institutional misconduct; to investigate possible misuse of Onondaga Community College resources, violation of law or regulations, or violation of Onondaga Community College policies and procedures; (ii) in connection with academic, disciplinary, or administrative inquiries; in connection with legal proceedings; for purposes related to Onondaga Community College business; and as otherwise permitted by law. Onondaga Community College has the authority to access and inspect the contents of any College equipment, files or email on its systems. OCC may restrict or filter access to specific services or protocols for technical, security, policy, or legal reasons. Users accessing or attempting to access services not offered by OCC, either intentionally or unintentionally, may be subject to disciplinary or legal action. Access to files on college-owned equipment will only be approved by specific personnel when there is a valid reason to access those files. Authority to access user files can only come from the Vice President & Chief Information Officer in conjunction with the Vice President to whom the user reports (or the President if the subject of investigation is a Vice President and/or the Vice President of Human Resources or designee). Onondaga Community College General Counsel may be consulted if deemed necessary. External law enforcement agencies may request access to files through valid subpoenas and other legally binding requests. All such requests must be approved by Onondaga Community College General Counsel. Information obtained in this manner can be admissible in legal proceedings or in a college hearing.
  2. Deleting Electronic Communications. Users of the computing systems and communications networks should be aware that electronic communications are not necessarily erased from the computer systems when the user "deletes" files or messages. An electronic communication may continue to be stored on a backup copy long after it is "deleted" by the user. As a result, deleted messages can often be retrieved or recovered after they have been deleted (see Policy J4 Email, Telephone & Voice Mail Usage).
  3. Physical and Environmental Security. Onondaga Community College provides reasonable security measures against intrusion and damage to files. Information processing and storage facilities for critical information should be located in areas with controls for accessing the facilities. These physical security mechanisms are intended to protect the facilities from unauthorized access, damage or interference and should be periodically reviewed to insure such protection. The IT Data Center is strictly controlled and only available to authorized personnel who have a need to transact specific college computer-related business within the IT department. Automated controls requiring re-authentication are implemented to protect computing devices from unauthorized use. When employees leave the work area, the screen must be cleared and the terminal/PC totally locked or logged off from all administrative systems, applications and networks. Hard copy administrative data obtained from the administrative systems and applications must be carefully protected, especially those that contain restricted administrative data. Provisions must be made for the secure disposal of this administrative data.
  4. System Development and Maintenance. Security issues must be identified during the requirements phase of any project and must be agreed upon and documented as part of any project plan or new software installation.
  5. Third Party Service Providers. Third party service provider contracts must be reviewed to ensure providers are capable of maintaining appropriate information security measures including a documented Information Security policy and cyber liability insurance coverage that is consistent with applicable Onondaga Community College policies, procedures, standards, guidelines; and municipal, state, and federal laws, rules, and regulations. Third party service providers are required to complete OCC's Third Party Vendor Assessment Questionnaire that must be reviewed and approved by the IT Department prior to the execution of any contract or agreement for software, hosting, or other technology related services. Access to OCC computing resources by third parties, including contractors and vendors, is temporary in nature and must be requested through the use of the Provisional Computer Access Request Form; such users are expected to be aware of and comply with the provisions of this policy. 

VII.  Administrative Data Owners

Access to administrative data and information systems is determined by an employee’s job duties and is limited to the extent necessary for employees to perform the responsibilities of their position. Administrative Data Owners are the individuals and departments with the responsibility and authority for establishing and maintaining appropriate security measures for the data within their jurisdiction. Administrative Data Owners make decisions regarding controls, access privileges of users and determining the appropriate level of access (view, update, etc.). Administrative Data Owners are responsible for ensuring that an appropriate user management process is implemented for third parties who may need access to OCC administrative data and information systems including validation of the identity of the user, scope of access and timely notification when access is no longer needed.

The Administrative Data Owners include those with executive level responsibility within the college administration including: Academic Affairs, Administration & Compliance, Ancillary Services, Campus Life & Safety, Development, Enrollment Development & Communications, Financial Services, General Counsel, Human Resources, Information Technology, Institutional Planning, Assessment & Research, and Student Engagement & Learning Support.  

Administrative Data Owners are responsible for ensuring that individuals with access to administrative data are aware of the confidential nature of the information and the limitations, in terms of disclosure, that apply to the data. When accessing restricted information, employees are responsible for maintaining its confidentiality. The Human Resources office is responsible for notifying the Information Technology department when an employee is separated from the college. Upon notification from Human Resources, the IT department handles changes to the employee account credentials and terminates access as directed. This standard procedure serves to protect the employee, administrative computing systems, applications and networks against possible tampering. Supervisors are responsible for notifying the IT department of a change to an employee’s job functions so that access rights are adjusted accordingly. The individual departments of the college are responsible for training their employees on the operational and appropriate use of administrative data systems including appropriate handling of confidential data.

VIII.  IT Security Incidents, New York Information Breach & Notification Requirements

The college uses reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" (General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains, or transmits to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic private information. The college agrees to fully disclose to the ISBNA, and any other applicable law, any breach of the security of a system following discovery or notification of the breach in the system to any resident of New York State whose private information was, or is reasonably believed to have been acquired, without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible. In the event of a security incident, OCC has an obligation to notify individuals whose private information has been or may have been compromised. In such an instance, OCC will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA. 

IT Security Incidents generally defined as: 1) any event involving Onondaga Community College Computing technology that is suspected or determined to a) violate applicable state or federal law or regulation; b) be harmful to the security or privacy of Onondaga Community College Computer Systems, Communications Networks, Onondaga Community College information, or the general public; c) be otherwise harmful to Onondaga Community College Computer Systems and/or Communications Networks; or d) cause unexpected disruption to Onondaga Community College Computer Systems and/or Communications Networks; or 2) any inquiry requests in connection with academic, disciplinary, or administrative investigations. An IT security incident that impacts regulated data (e.g., Student Information, Personal Health Information, SSN’s) or sensitive Onondaga Community College Data (e.g., business contracts) will be considered a Critical Incident.

  1. IT Security Incidents. The IT Security Incident response procedures are intended to protect Onondaga Community College’s computing technology, including information resources, from future unauthorized access, use or damage, and to mitigate the impact of the IT Security Incident. These procedures will also be followed in connection with academic, disciplinary or administrative inquiries.
  2. IT Security Incident Response Team. The IT Department, in consultation with the Administration, is responsible for coordinating the handling of IT Security Incidents, and related duties, such as alerting the campus to attacks. The response to IT Security Incidents involves both technical and management personnel that are properly positioned to represent key IT and business interests. Oversight of the response to IT Security Incidents is the responsibility of the Chief Information Officer.
  3. Reporting and Detection of IT Security Incidents. Any member of the Onondaga Community College campus community may request investigation of a suspected IT Security Incident from the IT Department. The IT Department itself might detect IT Security Incidents. IT will take appropriate steps to track, investigate, and resolve reported or detected IT Security Incidents and report the outcome to the appropriate parties. Critical IT Security Incidents must be promptly reported to the IT Department. Departments and individuals are encouraged to report all IT Security Incidents to help improve the tracking of trends and threats.
  4. Assessment and Escalation. Onondaga Community College has the authority to access, inspect, and disclose the contents of any College equipment, files or email on its systems. Access to files on College owned equipment will only be approved by specific personnel when there is a valid reason to access those files. If it is necessary to access user files, authority must be obtained from the Chief Information Officer and the Vice President to whom the user reports (or the President if the subject of investigation is a Vice President and/or Vice President of Human Resources or designee). Onondaga Community College General Counsel will be consulted if deemed necessary.
  5. IT Authority and Actions. For Critical IT Security Incidents, IT management will have authority to involve legal entities, to disconnect or shut down part or all of the campus IT infrastructure, and to direct other campus IT personnel to take specific actions. For non-Critical IT Security Incidents, IT may disconnect individual systems, as needed, but will work with User areas to balance disruptions against the security risks.
  6. Reporting, Documentation, and Communication. IT maintains records of reported or detected IT Security Incidents and strives to communicate important security information to the campus community. In the event of an actual Critical IT Security Incident, IT will ensure timely notification to campus leadership, including the campus President and SUNY System Administration officials as appropriate. The IT department plays a leadership role in conducting cyber security awareness activities and in proactively educating the campus community regarding appropriate security procedures to minimize risk and prevent data security issues. 

Approved by OCC Board of Trustees April 3, 2006

Updated and approved by the President January 31, 2011

Updated and approved by the President April 14, 2014

Updated and approved by the President June 15, 2015

Updated and approved by the President April 3, 2017

Updated and approved by the President September 22, 2017

Updated and approved by the President October 16, 2017