Responsibility for Maintenance: Information Technology Services
Date of Most Recent Changes: June 15, 2021
I. Policy Statement
Onondaga Community College (OCC) offers students and employees a broad range of technology and information services. In order to maintain systems that effectively serve and support the campus community, and comply with privacy laws and regulations, OCC manages and maintains the use of information technology to ensure that they are protected, reliable and accessible.
The College provides students, faculty, staff and campus guests with the ability to connect throughout the campus, both wired and wirelessly, to communicate and access College resources and information systems. Users will be held accountable for their for their activity on those systems.
Computers and technology equipment are issued to employees for the performance of their jobs. They remain the property of OCC and will need routine updating.
All technology-related purchases must be reviewed and approved by ITS, including but not limited to: software, hardware, internal and external "cloud" services, hosting arrangements and participation in any IT pilot programs. Third-party and vendor-supplied computing devices intended to be connected to the OCC network must first be reviewed and approved by ITS and meet security standards established by the College. Software that requires integration with OCC information systems must be assessed and vetted by the Administrative Systems Oversight Team (ASOT) and approved by ITS.
Personally-owned devices may connect to the OCC public wireless network. Although OCC does not provide technical support for personal technology, guidelines and advice are available. See Policy J8 for acceptable security standards for personally owned devices.
II. Reason for Policy
OCC has implemented this policy in order to appropriately manage, operate, maintain, and monitor the use of its information technology and systems to ensure that secure and well operating systems are available to the campus community and remain in compliance with laws and regulations.
III. Applicability of the Policy
This policy applies to all students, faculty, staff, contractors, visitors, third-party providers and others who have access to the college network and who are authorized by the college to use OCC's information technology. Such authorized users are responsible for knowing the procedures and regulations of OCC that apply to this policy, exercising good judgment in and the appropriate use of the college’s technology and information systems.
IV. Related Documents
- Onondaga Community College Policy L2 Copying Materials Protected By Copyright
- Onondaga Community College Policy J2 Internet Privacy
- Onondaga Community College Policy J3 Copyright Infringement Notice And Takedown Pursuant To The Digital Millennium Copyright Act
- Onondaga Community College Policy J11 Data Classification and Handling Policy
- Onondaga Community College N4 Display of Pornographic Materials
|Subject||Office Name||Title or Position||Telephone Number||Email/URL|
|Entire Policy||Information Technology Services||Vice President & Chief Information Officer||(315) 498-2717||[email protected]|
User Responsibilities. OCC's employees and students have varied access to a range of technology and information systems, some of which contain sensitive data of their own and others. Consequently, it is important for users to behave in a responsible, ethical, and legal manner and protect the confidentiality of individual's information that is entrusted to OCC.
Given the evolving nature of cyber-attacks and threats, all OCC employees are required to participate in annual Cyber Security Awareness training. Failure to do so may result in account disablement.
OCC students and employees (Users) are responsible for the appropriate use of OCC's information technology, including, but not limited to, the following:
- Compliance. All Users are required to comply with all applicable OCC policies, procedures, standards, guidelines and municipal, state, and federal laws, rules, and regulations including the Gramm-Leach-Bliley Act (P.L. 106-102), the Federal Trade Commission's Safeguards Rule (16 CFR Part 314), and the Americans With Disabilities Act.
- Authorized Use. Users are permitted to use only those technology resources for which authorization has been obtained and are required to use those resources and tools only in the manner and to the extent authorized. Employees authorized to use of OCC technology and information systems are restricted to work-related use. OCC employees are encouraged to conduct personal business with their own personal technologies.
- Statement of Responsibility. Any employee who is assigned to work with access to the OCC technology and information systems is required to complete a Statement of Responsibility form prior to being authorized for use.
- Access to Administrative Data. Access to administrative data by student workers is highly restrictive and limited. Supervisors may decide what portions of administrative data their student employees should have access to. Such access should be allowed only when staff members of the department are present to supervise the student employee and a Student Aide Computer Access Form has been completed and approved. In addition, OCC is bound by its contractual and license agreements respecting certain third party resources; users are expected to comply with all such agreements when using such resources.
- Confidentiality. Users are expected to protect and maintain the confidentiality and integrity of information obtained by access to OCC technology and information systems. Employees granting approval for access or directly accessing restricted or private information shall be aware of their obligations regarding the protection and responsibilities of accessing such data. Those authorized to access restricted or private data should only do so when performing activities and responsibilities required of their position. Access to restricted and private data may only be granted to individuals where a business need exists and the individual has appropriate authorization in OCC information systems. Those authorized to grant or revoke access to restricted or private data are responsible for ensuring that access is appropriately assigned, modified as needed and cancelled promptly when individuals transfer to other positions or leave the college.
- Storage. Employees should not save, store or share confidential or sensitive data on personally owned devices. Employees may not store data in personal online services that are not under contract with OCC. OCC work-product should be stored in Office 365 - One Drive and Share Point, and only other ITS-approved storage.
- Access. Access to OCC’s technology and information systems is strictly controlled by the use of a username and password to protect privacy and comply with federal law. OCC accounts and passwords are assigned to individuals and must not be shared. Users are expected to protect all passwords and accounts from unauthorized access. The owner of the account is responsible for keeping the account password private and secure and for all activity that takes place on their account, whether intentional or unintentional. Unauthorized or illegal activity should be reported to the ITS Help Desk. If an account is shared or password is given out, the holder of the account may lose all account privileges and be held personally responsible for any actions that arise from misuse of the account.
- College Property. College property, including computers, software, peripherals, telephones, and related equipment and supplies, is not to be moved within the college or removed from the premises without written advance permission from the Administrative Department Head, Department Chair, or an authorized supervisor. The Computing Move-Add-Change Request Form must be completed to facilitate moves and ensure network accessibility.
- Violations. Any user who violates this or other OCC policies, procedures, contractual obligations, or applicable state or federal laws, is subject to appropriate disciplinary and legal action, including, but not limited to, the limitation or denial of access to OCC’s network and systems. Violators may also be subject to disciplinary action, up to and including termination.
- Improper Behavior. Improper use of OCC’s information systems is prohibited. The following are additional examples of improper and prohibited use:
a. Illegal Activity. Use of OCC technology and information systems prohibits the storage, transmission, access and printing of anything that contains illegal content or files, that infringes upon the rights of another person or entity, that contains sexually offensive or inappropriate information and/or graphic material (see Policy N4 Display of Pornographic Material), that consists of any advertisements for commercial enterprises, or that consists of information that may injure someone else and/or lead to a lawsuit or criminal charges.
b. Downloading and Uploading. Downloading, uploading, distributing, or running any file or program that has the potential to damage files, networks, servers, or computers; or for the purpose of eavesdropping on others’ communications; or if the user is not licensed or does not have the appropriate permission of the owner of the file to download such file. Users are prohibited from downloading, or running any data or programs without prior approval and without a demonstrated business need, including file sharing software, music, games, videos, chat services, peer-to-peer software and any non-business related software or data.
c. Unauthorized Use/Access. Gaining or attempting to gain unauthorized access to OCC computing resources including remote computers or another user’s electronic communications, files or software without the permission of the owner, including, but not limited to, violations of software and other licenses, accessing computing resources that they are unauthorized to use and access via unapproved protocols. Actions that give simulated sign off messages, public announcements, or other fraudulent system responses. Having or changing system control information such as, program status, protection codes, and accounting information especially when used to defraud others, obtain passwords, gain access to and/or copy another's electronic communications, or otherwise interfere with or destroy their work.
d. Harassment. Harassing others by sending annoying, abusive, profane, threatening, defamatory or offensive messages or images. Some examples include: obscene, threatening, or repeated unnecessary messages; sexually, ethnically, racially, or religiously offensive messages; continuing to send messages after a request to stop.
e. Destruction, Sabotage. Intentionally destroying anything stored on the computer system or communications networks. Deliberately performing any act that will seriously impact the operation of the OCC information systems and communications networks.
f. Theft/Unauthorized Use of Data. Data created and maintained by OCC, or acquired from outside sources, are vital assets of OCC. Administrative, research, and other data may be subject to a variety of use restrictions.
g. Viruses, Spyware, etc. Running or installing on the computer systems, including accessing potentially destructive files either knowingly or unknowingly, or giving to another a program or file that could result in the eventual damage to a file or the computer systems and communications networks, and/or the reproduction of itself. This is directed towards, but not limited to, the classes of programs known as computer viruses, trojan horses, worms, and malware.
10. Abuse: Abuse of OCC's computing systems include, but are not limited to, the following, and will not be tolerated under any circumstances:
a. Circumventing or Breaching Security. Attempting to circumvent data protection schemes, uncover security loopholes or attempt to gain access to resources that are not properly authorized. It is strictly forbidden to attempt to circumvent any of OCC's security measures. Hacking and password grabbing are also strictly prohibited. Accounts, passwords, and other authentication mechanisms, may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the college.
b. Private Commercial Purposes. Users are prohibited from using OCC's information systems and communications networks for personal and/or financial gain.
c. Wasting Resources. Performing acts that are wasteful of computing resources or large attachments to many users or that unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, creating unnecessary multiple jobs or processes, generating unnecessary or excessive output, accessing and/or printing inappropriate material, printing or creating unnecessary network traffic; or using printers as copy machines (i.e., printing multiple copies of, documents, papers, flyers, etc.). The Duplicating Department should be used for all large print jobs and manuals, where more cost effective double sided copying can be achieved.
d. False or Misleading Email Address. Using a misleading or false email return address.
e. Unsolicited Email. Users are prohibited from sending unsolicited commercial email messages or from sending any email messages “en masse” to persons not known.
f. Recreational Use: Use of the computing systems and communications networks, if such use interferes with academic or business use.
11. Monitoring, Access, Disclosure. Users should not expect email privacy or privacy in other electronic communications when connected to OCC’s information systems and communications networks. While OCC does not monitor or access email, files, and other information transmitted via or stored on OCC's information systems and communications networks, it does monitor, access, review and disclose such information where appropriate and to proactively prevent data security breaches and unauthorized activity. Access to files on college-owned equipment will only be approved by specific personnel when there is a valid reason to access those files. Authority to access user files can only come from the Vice President & Chief Information Officer in conjunction with the Vice President to whom the user reports (or the President if the subject of investigation is a Vice President and/or the Vice President of Human Resources or designee). OCC General Counsel may be consulted if deemed necessary. External law enforcement agencies may request access to files through valid subpoenas and other legally binding requests. All such requests must be approved by the college President. Information obtained in this manner can be admissible in legal proceedings or in a college hearing.
12. Physical and Environmental Security. OCC provides reasonable security measures against intrusion and damage to files. Information processing and storage facilities for critical information should be located in areas with controls for accessing the facilities. These physical security mechanisms are intended to protect the facilities from unauthorized access, damage or interference and should be periodically reviewed to insure such protection. The ITS Data Center is strictly controlled and only available to authorized personnel who have a need to transact specific college computer-related business within ITS. Automated controls requiring re-authentication are implemented to protect computing devices from unauthorized use. When employees leave the work area, the screen must be cleared and the computer locked and logged off from all administrative systems, applications and networks. Hard copy administrative data obtained from the administrative systems and applications must be carefully protected, especially those that contain restricted administrative data. Provisions must be made for the secure disposal of this administrative data.
13. System Development and Maintenance. Security issues must be identified during the requirements phase of any project and must be agreed upon and documented as part of any project plan or new software installation.
14. Third Party Service Providers. Third party service provider contracts must be reviewed to ensure providers are capable of maintaining appropriate information security measures including a documented Information Security policy and cyber liability insurance coverage that is consistent with applicable OCC policies, procedures, standards, guidelines; and municipal, state, and federal laws, rules, and regulations. Third party service providers are required to complete OCC's Third Party Vendor Assessment Questionnaire that must be reviewed and approved by ITS prior to the execution of any contract or agreement for software, hosting, or other technology related services. Access to OCC computing resources by third parties, including contractors and vendors, is temporary in nature and must be requested through the use of the Provisional Computer Access Request Form; such users are expected to be aware of and comply with the provisions of this policy.
VII. Administrative Data Stewards
Access to administrative data and information systems is determined by an employee’s job duties and is limited to the extent necessary for employees to perform the responsibilities of their position. Administrative Data Stewards are the individuals and departments with the responsibility and authority for establishing and maintaining appropriate security measures for the data within their jurisdiction. Administrative Data Stewards make decisions regarding controls, access privileges of users and determining the appropriate level of access (view, update, etc.). Administrative Data Stewards are responsible for ensuring that an appropriate user management process is implemented for third parties who may need access to OCC administrative data and information systems including validation of the identity of the user, scope of access and timely notification when access is no longer needed.
The Administrative Data Owners include those with executive level responsibility within the college administration including:
- Admissions records
- Academic records
- Student records
- Financial Aid
- Student Accounts
- Human Resources
- Alumni & Donor
- Institutional Planning, Assessment & Research
- Information Technology Services (CORE data and network system information)
Administrative Data Stewards are responsible for ensuring that individuals with access to administrative data - particularly data classified as RESTRICTED and PRIVATE - are aware of the confidential nature of the information and the limitations, in terms of disclosure, that apply to the data. When accessing restricted or private information, employees are responsible for maintaining its confidentiality. The Human Resources office is responsible for notifying ITS when an employee is separated from the college. Upon notification from Human Resources, ITS handles changes to the employee account credentials and terminates access as directed. This standard procedure serves to protect the employee, administrative computing systems, applications and networks against possible tampering. Supervisors are responsible for notifying ITS of a change to an employee’s job functions so that access rights are adjusted accordingly. The individual departments of the college are responsible for training their employees on the operational and appropriate use of administrative data systems including appropriate handling of restricted and private data.
VIII. IT Security Incidents, New York Information Breach & Notification Requirements
The college uses reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" (General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains, or transmits to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic private information. The college agrees to fully disclose to the ISBNA, and any other applicable law, any breach of the security of a system following discovery or notification of the breach in the system to any resident of New York State whose private information was, or is reasonably believed to have been acquired, without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible. In the event of a security incident, OCC has an obligation to notify individuals whose private information has been or may have been compromised. In such an instance, OCC will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA.
IT security incidents generally defined as: 1) any event involving OCC information technology or systems that is suspected or determined to a) violate applicable state or federal law or regulation; b) be harmful to the security or privacy of OCC computer systems, communications networks, OCC information, or the general public; c) be otherwise harmful to OCC information systems and/or communications networks; or d) cause unexpected disruption to OCC computer systems and/or communications networks; or 2) any inquiry requests in connection with academic, disciplinary, or administrative investigations. An IT security incident that impacts regulated data (e.g., student information, personal health information, SSN’s) or sensitive OCC data (e.g., business contracts) will be considered a Critical Incident.
- IT Security Incidents. IT security incident response procedures are intended to protect OCC’s information technology, including information resources, from future unauthorized access, use or damage, and to mitigate the impact of the IT security incident. These procedures will also be followed in connection with academic, disciplinary or administrative inquiries.
- IT Security Incident Response Team. ITS, in consultation with the college's executive team and President, is responsible for coordinating the handling of IT security incidents, and related duties, such as alerting the campus to attacks. The response to IT security incidents involves both technical and management personnel that are properly positioned to represent key IT and business interests. Oversight of the response to IT security incidents is the responsibility of the Vice President & Chief Information Officer.
- Reporting and Detection of IT Security Incidents. Any member of the OCC campus community may request investigation of a suspected IT security incident from ITS. ITS itself might detect IT security incidents. ITS will take appropriate steps to track, investigate, and resolve reported or detected IT security incidents and report the outcome to the appropriate parties. Critical IT security incidents must be promptly reported to ITS. Departments and individuals are encouraged to report all IT security incidents to help improve the tracking of trends and threats.
- Assessment and Escalation. OCC has the authority to access, inspect, and disclose the contents of any college equipment, files or email on its systems. Access to files on college owned equipment will only be approved by specific personnel when there is a valid reason to access those files. If it is necessary to access user files, authority must be obtained from the Vice President and Chief Information Officer and the Vice President to whom the user reports (or the President if the subject of investigation is a Vice President and/or Vice President of Human Resources or designee). OCC General Counsel will be consulted if deemed necessary.
- IT Authority and Actions. For critical IT security incidents, ITS management will have authority to involve legal entities, to disconnect or shut down part or all of the campus IT infrastructure, and to direct other campus IT personnel to take specific actions. For non-critical IT security incidents, ITS may disconnect individual systems, as needed, but will work with user areas to balance disruptions against the security risks.
- Reporting, Documentation, and Communication. ITS maintains records of reported or detected IT security incidents and strives to communicate important security information to the campus community. In the event of an actual Critical IT Security Incident, IT will ensure timely notification to campus leadership, including the campus President and SUNY System Administration officials as appropriate. ITS plays a leadership role in conducting cyber security awareness activities and in proactively educating the campus community regarding appropriate security procedures to minimize risk and prevent data security issues.
Approved by OCC Board of Trustees April 3, 2006
Updated and approved by the President January 31, 2011
Updated and approved by the President April 14, 2014
Updated and approved by the President June 15, 2015
Updated and approved by the President April 3, 2017
Updated and approved by the President September 22, 2017
Updated and approved by the President October 16, 2017
Updated and approved by the President September 19, 2018
Updated and approved by the President June 15, 2020
Updated and approved by the President June 15, 2021