Acceptable Use of Information Technology Resources Policy

RELATED COLLEGE POLICIES

Electronic Mail Policy, Password Policy, Remote Access Policy, Privacy Policy 

POLICY CATEGORY 

Information Technology Services (ITS) 

APPROVAL AUTHORITY 

President’s Leadership Team 

POLICY OWNER 

Vice President, Information Technology Services and Chief Data Officer 

POLICY STAKEHOLDER 

Data and Technology Council 

CONFIDETIALITY LEVEL Public, Internal, Confidential:  Public 

APPROVAL DATE 

9/2019 

EFFECTIVE DATE 

9/2019 

REVIEW FREQUENCY 

Annual 

PURPOSE/SCOPE 

The purpose of this policy is to define the acceptable use of Bristol Community College (“Bristol” or “college”) applications, hardware, information and other information technology resources and systems. This policy applies to any person utilizing Bristol information technology resources. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors.     

POLICY STATEMENT 

Acceptable use of Bristol information technology resources includes use for academic, educational, or professional purposes that are directly related to official college business and in support of the college mission. Users are encouraged to utilize Bristol’s information technology resources to the fullest extent in pursuit of the college’s mission, goals, and objectives. The college expects that these information technology resources are always used in a responsible manner and reserves the right to limit or remove access as needed. 

Bristol’s electronic communications systems, including Internet, telephony, email, and messaging services are to be used primarily for college related purposes. Users shall have no expectation of privacy over any communication, transmission or work performed using or stored on college information technology resources. The college reserves the right to monitor any and all aspects of its information technology resources and to do so at any time, without notice, and without the user's permission.  

Bristol Community College makes no warranties, expressed or implied, for the information technology resources it provides. Bristol will not be responsible for any damages a user may suffer, including loss of data, undelivered messages, or content or service interruptions. Bristol denies any responsibility for the accuracy or quality of information obtained through its information technology resources. The college is a “carrier” of information through electronic channels rather than a “publisher” of information. With the exception of official college publications or legitimate business communications through internal processes, the college is not to be expected to be aware of, or responsible for materials or communications. 

 Uses of Technology 

  1. Access – All access to Bristol applications, systems and hardware shall be authorized and approved. Any access not explicitly authorized and approved is prohibited. Access to specific applications, systems, components and technology infrastructure shall only be granted to users with a legitimate need for such access. The level of access granted, and privileges assigned, shall be limited to the minimum required to perform assigned duties or to access appropriate systems or services. 
  2. Remote Access – is authorized for only those users with an approved business or academic use. Users who have been approved for remote access are responsible for adhering to the requirements defined in the Remote Access Policy 
  3. Media – users shall not use media, such as flash drives or portable hard drives, until they have been scanned for viruses, spyware, malware, Trojans, or other similar threats to the security or functionality of Bristol information technology resources. 
  4. Data Encryption and Storage – confidential and/or personally identifiable information (PII) must be protected by encryption. Encryption methods that have been approved and implemented by Information Technology Services should be used in all cases. Users who are unfamiliar with using approved encryption technologies should seek guidance from the ITS Help Desk. 
  5. Cloud Computing and Storage – advances in cloud computing offer convenient technology solutions such as data storage and connectivity. Data placed on any cloud computing storage solution must adhere to the same policies as data stored on Bristol’s internal technology resources.  
  6. Unacceptable use of technology includes, but are not limited to, the following: 
      • any illegal or unethical act, including violation of any criminal or civil laws or regulations, whether state or federal; 
      • any conduct that violates the college’s Policy on Affirmative Action, Equal Opportunity and Diversity; 
      • any conduct that violates the college’s Code of Student Conduct; 
      • any conduct that unreasonably interferes with the normal operation of the College;  
      • any commercial or profit-making purpose; 
      • sending threatening or harassing messages, whether sexual or otherwise; 
      • accessing or sharing sexually explicit or obscene materials; 
      • infringing on any copyright or intellectual property rights; 
      • any use that causes interference with or disruption of network users and resources, including propagation of computer viruses or other harmful programs; 
      • intercepting communications intended for other persons; 
      • misrepresenting the college or a person’s role at the college; 
      • distributing chain letters; or 
      • defaming any person. 

Computer Virus and Malware Protection 

It is important that users take care to avoid compromising the security of the Bristol network. Users shall exercise reasonable precautions to prevent the introduction of a computer virus or other malware into the Bristol network. Virus scanning software is installed on all Bristol systems and is used to check any software downloaded from the Internet or obtained from any questionable source. Users are prohibited from disabling, or attempting to disable, virus scanning software. Users must scan portable media devices for viruses and malware before using them to ensure that they have not been infected. If users are unsure of how to utilize virus and malware scanning tools, they should contact the ITS Help Desk for additional information. 

Messaging Technologies 

Use of email and other messaging technologies shall never be used to transmit personally identifiable information (“PII”) information in an unencrypted format. Users must pay additional attention to email content and senders and must not open email attachments from unrecognized or suspicious senders. If there are questions about the security of an email, email attachment, or messaging technology users should contact the college ITS Help Desk. For additional information on the use of email and messaging technologies at Bristol, consult the Electronic Mail Policy. 

Definition of Personally Identifiable Information (PII) 

Personally Identifiable Information (“PII”) is any information about an individual generated, received, and/or stored by Bristol that could be used to distinguish or trace a person’s identity. This information also includes numbers that directly and uniquely identify an individual such as name, social security numbers or biometric information or any indirect information that is linked or can be linkable through the sum of its parts to an individual, such as medical, educational, or stored financial information.   

Except in situations where there is a legitimate business need and no reasonable alternative exists, the following information may not be collected or stored: 

  • Social Security Number (SSN), passport number, driver’s license number or state issued identification card numbers; 
  • Date of birth, place of birth, or mother’s maiden name; 
  • Credit card numbers, debit card numbers, bank account info, or income tax records; 
  • Address information, such as street address or email address; 
  • Personal characteristics, including photographic image (especially the face or other identifying characteristic); 
  • Information about a person, including student ID numbers or employee ID numbers, that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, educational information, or financial information). 

Incident Response 

Bristol ITS staff will respond to all information technology security related incidents, such as computer virus infections. To effectively respond to these events, the ITS staff relies on timely information and reporting from users. Subsequently, users are required to contact the Bristol ITS Help Desk if they: 

  • Observe unauthorized or suspicious activity; 
  • Know or suspect that a security incident has or is going to occur.  

Password Use 

Many of Bristol’s information technology resources require the use of a unique user account and password. It is important for college users to create strong passwords and protect these passwords. Users must never share their passwords with anyone else, must maintain privacy of their password, and must promptly notify ITS personnel if they suspect their passwords have been compromised. For additional information on password creation, use, and protection, refer to the Password Policy. 

Physical and Environmental Security 

Assistance from users is required to ensure a physically and environmentally secure working environment. Users are required to be aware of locking and access restriction mechanisms and must proactively challenge unidentified or unescorted personnel within restricted areas of the college. Users who leave their devices unattended must log off or lock the system before leaving. 

Problem Management 

Users are required to report problems or issues discovered with Bristol information technology resources to the ITS Help Desk immediately following discovery. 

Information Security Awareness 

College employees will be required to attend security awareness training upon hire and may be required annually thereafter.  

ENFORCEMENT 

Any user found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, termination of employment, expulsion from the college, or discontinuation of the business relationship.  

ROLES AND RESPONSIBILITIES 

This section provides details on the college personnel who will take part in the development, approval process, and to whom the policy applies.  

ROLE 

RESPONSIBILITY 

Information Technology Services 

  • Ensure awareness and compliance with this policy. 
  • Ensure that this policy and all component policies and procedures are maintained and implemented.  
  • Review this policy periodically and update as needed in response to environmental and/or operational changes. 

All Users 

  • Understand and adhere to this policy.  
  • Use Bristol resources in only those methods, which have been identified as acceptable by this policy.  
  • Immediately report unauthorized or suspicious activities or violations of this policy to their manager and the IT Manager. 

RELEVANT REGULATIONS 

This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.  

Framework 

CIS Critical Security Controls v6.1 

Regulations and Requirements 

PCI DSS - MA 201 - HIPAA 

Supporting 

Standards and Procedures 

  • CSC 7 - Email and Web Browser Protections 
  • CSC 8 - Malware Defense 
  • CSC 13 - Data Protection 
  • CSC 17 - Security Skills Assessment and Appropriate Training to Fill Gaps 
  • CSC 19 - Incidence Response and Management 
  • PCI DSS Requirement 12 - Maintain a policy that addresses information security for personnel. 
  • MA 201 CMR 17.03 2.b.1 - Ongoing employee training 
  • COBIT 5 DSS05, APO11.02 
  • COBIT 4.1 PO.2 - IT Standards and Quality Practices 
  • NIST Core Framework - PR.DS-1, PR.DS-2, PR.DS-9, PR.IP-9, PR-PT.4  

REVISION HISTORY 

This section contains information on the approval and revision history for this policy. 

Version Number 

Issued Date 

Approval 

Description of Changes 

1.0 

3/2016 

Massachusetts CIO Council 

Development and adoption of collaborative and standardized IT policies 

1.0 

7/2016 

Massachusetts Community College Counsel’s Office 

Recommendation on contents provided by college counsel 

1.0 

12/2016 

Standardized Control Framework 

Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 

1.0 

9/2019 

President’s Leadership Team 

Policy adoption 

POLICY CONTACT 

Name:Jo-Ann Pelletier 

Title:Vice President, Information Technology Services and Chief Data Officer 

Phone:774.357.2412