Policy Name: Acceptable and Responsible Use of Computing Technology
Responsibility for Maintenance: Information Technology
Date of Most Recent Changes: October 16, 2017
I. Policy Statement
Onondaga Community College offers
students and employees the use of a broad range of computing technology. In
order to maintain computing technology systems that effectively serve and
support the campus community, Onondaga Community College manages, maintains and
monitors the use of its technology and responds to reported or detected IT security
incidents. All materials, supplies and equipment issued to or used by employees
for the performance of their jobs are considered the property of Onondaga
Community College. Onondaga Community College does not provide technical
support for the use of personally owned equipment or software. The authorized
use of Onondaga Community College's computing technology by students, faculty,
staff, and authorized visitors shall be consistent with this policy.
Regardless of funding source and resource requirements, all technology related purchases must be reviewed and approved by IT, including but not limited to: software, hardware, internal and external services, hosting arrangements and participation in any technology related beta or pilot program. Third party and vendor supplied computing devices intended to be connected to the OCC network must first be reviewed and approved by the IT Department and have the appropriate security controls installed. Software that requires integration with OCC information systems must be assessed and approved by the IT Department.
Personally owned devices connected to the OCC network either directly or via a network port, wirelessly by an access point, or by a wireless provider are the responsibilities of the owner of the device. This policy in all parts applies to personally owned devices connected to the OCC computer systems and communications network. Please see Policy J8 for acceptable security standards for personally owned devices. http://employees.sunyocc.edu/index.aspx?id=22176
II. Reason for Policy
Onondaga Community College has
implemented this policy in order to appropriately manage, operate, maintain,
and monitor the use of its computing technology systems and to ensure that
secure and productive systems are available to the campus community.
III. Applicability of the Policy
policy applies to all students, faculty, staff, contractors, visitors, third
party providers and others who have access to college information and who are
authorized by Onondaga Community College to use Onondaga Community College’s computing
technology. Such authorized users are responsible for knowing the procedures
and regulations of Onondaga Community College that apply to this policy,
exercising good judgment in and the appropriate use of the College’s computing technology.
IV. Related Documents
| Subject || Office Name || Title or Position || Telephone Number || Email/URL |
| Entire Policy || Information Technology || Chief Information Officer || (315) 498-2183 || email@example.com |
Responsibilities. Users of Onondaga Community College’s
computing technology have access to valuable computing resources, sensitive
data, and internal and external communications networks. Consequently, it is
important for users to behave in a responsible, ethical, and legal manner. Users are required to participate in annual Cyber Security Awareness training. Failure to do so may result in the loss of computing access and credentials. Users are responsible at all times for the appropriate use of Onondaga Community
College’s computing technology, including, but not limited to, the following:
All users are required to comply with all applicable Onondaga Community
College policies, procedures, standards, guidelines and municipal, state,
and federal laws, rules, and regulations including the Gramm-Leach-Bliley Act (P.L. 106-102) and the Federal Trade Commission's Safeguards Rule (16 CFR Part 314)..
- Authorized Use.
Users are permitted to use only those computing technology resources for
which authorization has been obtained and are required to use those
resources and tools only in the manner and to the extent authorized. The
authorized use of Onondaga Community College computing technology is
restricted to work activities specifically, and is not authorized for
personal use. The College is not responsible for retrieving or handling
personal data that may be stored on college owned devices. Any employee
who is assigned to work with access to the Onondaga Community College computing
systems is required to complete a Statement of Responsibility form prior
to being authorized for use. Access
to administrative data by student workers is highly restrictive and
limited. Supervisors may decide
what portions of administrative data their student employees should have
access to. Such access should be
allowed only when staff members of the department are present to supervise
the student employee and a Student Aide Computer Access Form has been completed and approved. In addition, Onondaga
Community College is bound by its contractual and license agreements
respecting certain third party resources; users are expected to comply
with all such agreements when using such resources.
Users are expected to protect and maintain the confidentiality and
integrity of information obtained by access to Onondaga Community College computing
technology. Employees granting approval for access or directly accessing
confidential data shall be aware of their obligations regarding such
data. Those authorized to access confidential data should only do so
when performing activities and responsibilities of their position. Access to confidential data may only be granted to individuals where a
business need exists and the individual has appropriate
authorization on College computing storage. Those authorized to access confidential data are
responsible for properly storing and securing it. Those authorized
to grant or revoke access to confidential data are responsible for
ensuring that access is appropriately assigned, modified as needed and
canceled promptly when individuals transfer to other positions or leave
the college. Employees should not save, store or share confidential or
sensitive data on personally owned devices. As previously noted, employees that receive, maintain, process or otherwise have access to confidential information are responsible for protecting confidential customer data in accordance with the Gramm-Leach-Bliley Act and the Federal Trade Commission's Safeguards Rule.
In order to duplicate any copyrighted material, appropriate legal
permission must first be obtained from the copyright holder. All software
loaded onto Onondaga Community College owned computers must be properly
licensed. Faculty, staff and
students are not permitted to load non-licensed computer software on to
any College owned equipment.
Access to Onondaga Community College’s computing technology systems is
strictly controlled by the use of a user name and password to protect privacy
and comply with federal law. Computer accounts and passwords are assigned
to one individual and should be used by only that person. Users are expected to protect all passwords
and accounts from unauthorized access.
The owner of the account is responsible for keeping the account
password private and secure and for all activity that takes place on their
account, whether intentional or unintentional. Unauthorized or illegal activity should
be reported to the Information Technology Help Desk. If an account is shared or password is
given out, the holder of the account may lose all account privileges
and be held personally responsible for any actions that arise from misuse
of the account.
- College Property.
College property, including computers, software, peripherals, telephones,
and related equipment and supplies, is not to be moved within the college or removed from the premises
without written advance permission from the Administrative Department
Head, Department Chair, or an authorized supervisor. The Computing Move-Add-Change Request Form must be completed to facilitate internal moves of computing units.
Any user who violates this or other Onondaga Community College Policies,
procedures, contractual obligations, or applicable state or federal laws, is
subject to appropriate disciplinary and legal action, including, but not
limited to, the limitation or denial of access to Onondaga Community
College’s computer systems and communications networks. Violators may also
be subject to disciplinary action, up to and including termination. Onondaga
Community College reserves the right to revoke access to its computer
systems and communications networks.
- Improper Behavior.
Improper use of Onondaga Community College’s computing systems is
prohibited. The following are additional examples of improper and
Activity. Storing, transmitting, accessing or
printing via the computer systems and communications networks anything that
contains illegal content or files, that infringes upon the rights of another
person or entity, that contains sexually offensive or inappropriate information
and/or graphic material, that consists of any advertisements for commercial
enterprises, or that consists of information that may injure someone else
and/or lead to a lawsuit or criminal charges.
b. Downloading. Downloading, uploading, distributing, or running any file or program
that has the potential to damage files, networks, servers, or computers; or for
the purpose of eavesdropping on others’ communications; or if the user is not
licensed or does not have the appropriate permission of the owner of the file
to download such file. Users are prohibited from downloading, or running any
data or programs without prior approval and without a demonstrated business
need, including file sharing software, music, games, videos, chat services,
peer-to-peer software and any non-business related software or data.
Use/Access. Gaining or attempting to gain
unauthorized access to OCC computing resources including remote computers or
another user’s electronic communications, files or software without the
permission of the owner, including, but not limited to, violations of software
and other licenses, accessing computing resources that they are unauthorized to
use and access via unapproved protocols. Actions that give simulated sign off messages,
public announcements, or other fraudulent system responses. Having or changing
system control information such as, program status, protection codes, and
accounting information especially when used to defraud others, obtain
passwords, gain access to and/or copy another's electronic communications, or
otherwise interfere with or destroy their work.
d. Harassment. Harassing others by sending annoying, abusive, profane,
threatening, defamatory or offensive messages. Some examples include: obscene,
threatening, or repeated unnecessary messages; sexually, ethnically, racially,
or religiously offensive messages; continuing to send messages after a request
to stop; and procedures that hinder a computer session.
Sabotage. Intentionally destroying anything
stored on the computer system or communications networks. Deliberately
performing any act that will seriously impact the operation of the computer
systems and communications networks.
Use of Data. Data created and maintained by
Onondaga Community College, or acquired from outside sources, are vital assets
of Onondaga Community College. Administrative, research, and other data may be
subject to a variety of use restrictions.
Theft. Unless specifically authorized,
copying computer program(s) from the computer systems and communications
Spyware, etc. Running or installing on the
computer systems, including accessing potentially destructive files either knowingly or unknowingly, or giving to another a program or file that could result in
the eventual damage to a file or the computer systems and communications
networks, and/or the reproduction of itself. This is directed towards, but not
limited to, the classes of programs known as computer viruses, Trojan horses, worms,
i. Pornographic Materials. The public showing of or display of pornographic materials on the Onondaga Community College campus, or the manner that a third party would reasonably tend to associate with the College, is prohibited.
9. Abuse: Abuse of Onondaga Community College's computing systems
include, but are not limited to, the following, and will not be tolerated under
or Breaching Security. Attempting
to circumvent data protection schemes, uncover security loopholes or attempt to
gain access to resources that are not properly authorized. It is strictly
forbidden to attempt to circumvent any of Onondaga Community College's security
measures. Hacking and password grabbing are also strictly prohibited. Accounts, passwords, and other authentication
mechanisms, may not, under any circumstances, be shared with, or used by,
persons other than those to whom they have been assigned by the college.
Letters. The propagation of chain letters is
c. Flooding. Posting a message with the intention of reaching as many
users as possible is prohibited.
Commercial Purposes. Users are prohibited from using
Onondaga Community College's computer systems and communications networks for
personal and/or financial gain.
Resources. Performing acts that are wasteful
of computing resources or large attachments to many users or that unfairly monopolize resources to the exclusion
of others. These acts include, but are not limited to, sending mass mailings or
chain letters, creating unnecessary multiple jobs or processes, generating
unnecessary or excessive output, accessing and/or printing inappropriate
material, printing or creating unnecessary network traffic; or using printers
as copy machines (i.e., printing multiple copies of, documents, papers, flyers,
etc.). The Duplicating department should be used for all large print jobs and
manuals, where more cost effective double sided copying can be done.
f. False or
Misleading Email Address. Using a
misleading or false email return address.
Email. Users are prohibited from sending
unsolicited commercial email messages or from sending any email messages “en
masse” to persons not known.
Use: Use of the computing systems and
communications networks, if such use interferes with academic or business use. Public computing areas are designated for academic
- Monitoring, Access, Disclosure. Users should not expect email privacy or privacy in other
electronic communications when connected to Onondaga Community College’s
computing systems and communications networks. While Onondaga Community
College does not generally monitor or access email, files, and other
information transmitted via or stored on the Onondaga Community College computing
systems and communications networks, it does regularly monitor, access,
review, and disclose such information where appropriate and to proactively
prevent data security breaches and unauthorized activity. Without limiting the generality of the
foregoing or the discretion of Onondaga Community College in determining
when appropriate circumstances exist, appropriate circumstances include:
investigating computer systems and communications networks performance and
system problems; investigating IT Security Incidents; disconnecting personal and college-owned equipment and user credentials; determining if an
individual is in violation of this policy; to ensure that Onondaga
Community College is not subject to claims of institutional misconduct; to
investigate possible misuse of Onondaga Community College resources,
violation of law or regulations, or violation of Onondaga Community
College policies and procedures; (ii) in connection with academic,
disciplinary, or administrative inquiries; in connection with legal
proceedings; for purposes related to Onondaga Community College business;
and as otherwise permitted by law. Onondaga Community College has the
authority to access and inspect the contents of any College equipment,
files or email on its systems. OCC may restrict or filter access to
specific services or protocols for technical, security, policy, or legal
reasons. Users accessing or
attempting to access services not offered by OCC, either intentionally or
unintentionally, may be subject to disciplinary or legal action. Access to
files on college-owned equipment will only be approved by specific
personnel when there is a valid reason to access those files. Authority to
access user files can only come from the Vice President & Chief Information Officer in
conjunction with the Vice President to whom the user reports (or the
President if the subject of investigation is a Vice President and/or the
Vice President of Human Resources or designee). Onondaga Community College
General Counsel may be consulted if deemed necessary. External law
enforcement agencies may request access to files through valid subpoenas
and other legally binding requests. All such requests must be approved by
Onondaga Community College General Counsel. Information obtained in this
manner can be admissible in legal proceedings or in a college hearing.
- Deleting Electronic Communications. Users of the computing systems and communications
networks should be aware that electronic communications are not
necessarily erased from the computer systems when the user
"deletes" files or messages. An electronic communication may
continue to be stored on a backup copy long after it is
"deleted" by the user. As a result, deleted messages can often
be retrieved or recovered after they have been deleted (see Policy J4 Email, Telephone & Voice Mail Usage).
- Physical and Environmental Security. Onondaga Community College provides
reasonable security measures against intrusion and damage to files. Information
processing and storage facilities for critical information should be
located in areas with controls for accessing the facilities. These
physical security mechanisms are intended to protect the facilities from
unauthorized access, damage or interference and should be periodically
reviewed to insure such protection. The IT Data Center is strictly controlled
and only available to authorized personnel who have a need to transact
specific college computer-related business within the IT department. Automated controls requiring
re-authentication are implemented to protect computing devices from
unauthorized use. When employees leave the work area, the screen must be
cleared and the terminal/PC totally locked or logged off from all
administrative systems, applications and networks. Hard copy administrative data obtained
from the administrative systems and applications must be carefully protected, especially those that contain restricted administrative data. Provisions must be made for the secure
disposal of this administrative data.
Development and Maintenance. Security
issues must be identified during the requirements phase of any project and
must be agreed upon and documented as part of any project plan or new
- Third Party Service Providers. Third party service provider contracts
must be reviewed to ensure providers are capable of maintaining appropriate
information security measures including a documented Information Security
and cyber liability insurance coverage that is consistent with applicable Onondaga Community College policies, procedures,
standards, guidelines; and municipal, state, and federal laws, rules, and
regulations. Third party service providers are required to complete OCC's Third Party Vendor Assessment Questionnaire that must be reviewed and approved by the IT Department prior to the execution of any contract or agreement for software, hosting, or other technology related services. Access to OCC computing resources by third parties, including contractors and vendors, is temporary in nature and must be requested through the use of the Provisional Computer Access Request Form; such users are expected to be aware of and comply with the provisions of this policy.
VII. Administrative Data Owners
Access to administrative data and
information systems is determined by an employee’s job duties and is limited to
the extent necessary for employees to perform the responsibilities of their position. Administrative Data Owners are the
individuals and departments with the responsibility and authority for establishing
and maintaining appropriate security measures for the data within their jurisdiction.
Administrative Data Owners make decisions regarding controls, access privileges
of users and determining the appropriate level of access (view, update,
etc.). Administrative Data Owners are
responsible for ensuring that an appropriate user management process is
implemented for third parties who may need access to OCC administrative data
and information systems including validation of the identity of the user, scope
of access and timely notification when access is no longer needed.
The Administrative Data Owners include
those with executive level responsibility within the college administration
including: Academic Affairs, Administration & Compliance, Ancillary
Services, Campus Life & Safety, Development, Enrollment Development &
Communications, Financial Services, General Counsel, Human Resources,
Information Technology, Institutional Planning, Assessment & Research, and Student
Engagement & Learning Support.
Administrative Data Owners are
responsible for ensuring that individuals with access to administrative data
are aware of the confidential nature of the information and the limitations, in
terms of disclosure, that apply to the data. When accessing restricted
information, employees are responsible for maintaining its
confidentiality. The Human Resources office is responsible for notifying
the Information Technology department when an employee is separated from the college. Upon notification from Human Resources, the IT department
handles changes to the employee account credentials and terminates access as
directed. This standard procedure serves
to protect the employee, administrative computing systems, applications and
networks against possible tampering. Supervisors
are responsible for notifying the IT department of a change to an employee’s
job functions so that access rights are adjusted accordingly. The
individual departments of the college are responsible for training their
employees on the operational and appropriate use of administrative data systems
including appropriate handling of confidential data.
VIII. IT Security
Incidents, New York Information Breach & Notification Requirements
The college uses reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" (General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains, or transmits to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic private information. The college agrees to fully disclose to the ISBNA, and any other applicable law, any breach of the security of a system following discovery or notification of the breach in the system to any resident of New York State whose private information was, or is reasonably believed to have been acquired, without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible. In the event of a security incident, OCC has an obligation to notify individuals whose private information has been or may have been compromised. In such an instance, OCC will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA.
Incidents generally defined as: 1) any event involving Onondaga Community
College Computing technology that is suspected or determined to a) violate
applicable state or federal law or regulation; b) be harmful to the security or
privacy of Onondaga Community College Computer Systems, Communications
Networks, Onondaga Community College information, or the general public; c) be
otherwise harmful to Onondaga Community College Computer Systems and/or Communications
Networks; or d) cause unexpected disruption to Onondaga Community College
Computer Systems and/or Communications Networks; or 2) any inquiry requests in
connection with academic, disciplinary, or administrative investigations. An IT
security incident that impacts regulated data (e.g., Student Information,
Personal Health Information, SSN’s) or sensitive Onondaga Community College
Data (e.g., business contracts) will be considered a Critical Incident.
- IT Security Incidents. The IT Security Incident response procedures are
intended to protect Onondaga Community College’s computing technology,
including information resources, from future unauthorized access, use or
damage, and to mitigate the impact of the IT Security Incident. These
procedures will also be followed in connection with academic, disciplinary
or administrative inquiries.
- IT Security Incident Response Team. The IT Department, in consultation with the
Administration, is responsible for coordinating the handling of IT
Security Incidents, and related duties, such as alerting the campus to
attacks. The response to IT Security Incidents involves both technical and
management personnel that are properly positioned to represent key IT and
business interests. Oversight of the response to IT Security Incidents is
the responsibility of the Chief Information Officer.
- Reporting and Detection of IT Security Incidents. Any member of the Onondaga Community College campus
community may request investigation of a suspected IT Security Incident
from the IT Department. The IT Department itself might detect IT Security
Incidents. IT will take appropriate steps to track, investigate, and
resolve reported or detected IT Security Incidents and report the outcome
to the appropriate parties. Critical IT Security Incidents must be
promptly reported to the IT Department. Departments and individuals are
encouraged to report all IT Security Incidents to help improve the
tracking of trends and threats.
- Assessment and Escalation. Onondaga Community College has the authority to access,
inspect, and disclose the contents of any College equipment, files or
email on its systems. Access to files on College owned equipment will only
be approved by specific personnel when there is a valid reason to access
those files. If it is necessary to access user files, authority must be
obtained from the Chief Information Officer and the Vice President to whom
the user reports (or the President if the subject of investigation is a
Vice President and/or Vice President of Human Resources or designee). Onondaga
Community College General Counsel will be consulted if deemed necessary.
- IT Authority and Actions. For Critical IT Security Incidents, IT management will
have authority to involve legal entities, to disconnect or shut down part
or all of the campus IT infrastructure, and to direct other campus IT
personnel to take specific actions. For non-Critical IT Security
Incidents, IT may disconnect individual systems, as needed, but will work
with User areas to balance disruptions against the security risks.
- Reporting, Documentation, and Communication. IT maintains records of reported or detected IT
Security Incidents and strives to communicate important security
information to the campus community. In the event of an actual Critical IT
Security Incident, IT will ensure timely notification to campus
leadership, including the campus President and SUNY System Administration
officials as appropriate. The IT
department plays a leadership role in conducting cyber security awareness
activities and in proactively educating the campus community regarding appropriate
security procedures to minimize risk and prevent data security issues.
Approved by OCC Board of Trustees
April 3, 2006
Updated and approved by the
President January 31, 2011
Updated and approved by the
President April 14, 2014
Updated and approved by the
President June 15, 2015
Updated and approved by the President April 3, 2017
Updated and approved by the President September 22, 2017
Updated and approved by the President October 16, 2017