• Network, Internet and E-Mail Regulations: AR-2060-B


  • Section: 2000 General Administration
    Acceptable Use Regulation
    Administrative Regulation: AR-2060-B
    President’s Cabinet (PC) Approval: 9/24/19 

    Purpose

    Information systems provide access to both data and processes required to support most business functions. They have contributed to substantial improvements in both productivity and customer service. However, the use of information systems to access student or financial data, electronic mail (Email), the Internet, and remote access to college business systems introduces risk. The purpose of this Regulation is to define end user acceptable use criteria for Mt. Hood Community College (MHCC) networks, systems, applications, and data.

    Regulation Statement

    Computers and networks can provide access to information resources both internal and external to Mt. Hood Community College networks. To ensure this information is handled responsibly, users are to respect the rights of other users, protect the confidentiality and integrity of the systems and related physical resources, and observe all relevant laws, requirements and regulations. Failure to comply or act in accordance with any portion of this Regulation will result in sanctions, up to and including termination of employment. Specific guidance for end user acceptable use may be found in the standards established in this Regulation.

    Applicability

    This Regulation applies to full and part-time employees, faculty and other staff, hereinto referred to as “employees” at Mt. Hood Community College or “users” of Mt. Hood Community College networks, systems, applications, and data. The Acceptable Use Regulation includes all personnel affiliated with third parties that access, use, maintain, or process Mt. Hood Community College data or third-party data on the behalf of Mt. Hood Community College. All employees and users are bound by the guidelines and restrictions set forth within this Regulation. This regulation does not override or negate any language in MHCC’s bargaining agreements.

    Responsibilities

    Users are responsible for safeguarding the confidentiality, integrity and availability of systems, applications, and data within their control. Users shall immediately report any unexpected system behavior or irregularities, including any suspected or actual system intrusion, hack, virus, or other computer security incident in information to Mt. Hood Community College IT Department.

    Acceptable Use Regulation Provisions

    • All messages or data created, stored, transmitted, or retrieved over Mt. Hood Community College systems or through Mt. Hood Community College internet or email access are the property of Mt. Hood Community College and will be regarded as proprietary Mt. Hood Community College information. Mt. Hood Community College reserves the right to access the contents of any messages or data sent over its computer network and use that information to enforce its policies and regulations. If the content violates regulations or laws, Mt. Hood Community College reserves the right to submit the information to law enforcement for potential prosecution.
    • NOTE:  This statement does not pertain to or change any existing regulations or faculty contract language related to Academic Freedom or Intellectual Property. 
    • Management reserves the right to revoke the system privileges of any user at any time. Conduct that interferes with the normal and proper operation of our information systems, which adversely affects the ability of others to use these information systems, or violates College policy or law will not be permitted.
    • Users have no expectation of privacy or confidentiality in any of their system usage including internet access and emails. System usage will be monitored for policy, security, and/or network management reasons from time to time and is subject to inspection at any time. Inspection of Mt. Hood Community College systems, data and voicemail by management does not require the consent of, or notice to, individual users. However, any such requests for monitoring will be coordinated through the Mt. Hood Community College HR department. Any personal information placed on Mt. Hood Community College-owned information system resources is accessible and potentially auditable by Mt. Hood Community College.
    • The privacy and confidentiality of all sensitive Mt. Hood Community College data, student information is to be protected by every user in accordance with Mt. Hood Community College’s Data Protection and Security Policy, and Administrative Regulations. It is understood that unauthorized disclosure of any personal information is an invasion of privacy and may result in discipline up to and including termination, civil, and/or criminal actions against an individual. Revealing or publicizing any information which includes, but is not limited to: confidential financial information, confidential student information, databases and any information contained therein, vendor lists, computer software source codes, computer/network access codes, and business relationships is prohibited.
    • Mt. Hood Community College prohibits taking negative action against any employee for reporting a possible violation in good faith of this Regulation or for cooperating in an investigation. Any employee who retaliates against another employee for reporting a possible violation of this Regulation, or for cooperating in an investigation will be considered in violation of this Regulation.
    • This Regulation is not intended to restrict communications or actions protected or required by state or federal law, including the Oregon Public Employees Collective Bargaining Act.

    Acceptable Use Guidelines

    • Mt. Hood Community College networks, systems, and applications are to be used for conducting the business of Mt. Hood Community College. Occasional personal use of the system is permitted, but information, data, and messages that are accessed, processed, shared, retrieved and stored within these systems will be treated no differently from other Mt. Hood Community College records. Incidental personal use of Mt. Hood Community College systems is permissible only if the use: (a) does not consume more than a trivial amount of resources that could otherwise be used for business purposes, (b) does not interfere with staff productivity (c) does not preempt any business activity, and (d) does not otherwise violate Mt. Hood Community College regulations or policy.
    • All users will report any irregularities found in information or information systems to the Mt. Hood Community College IT department immediately upon detection. Employees must report any new programs or suspicious data files that appear on their workstations without their knowledge to the Mt. Hood Community College IT Department.
    • Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations. Through its legal representation, Mt. Hood Community College will cooperate as required with law enforcement authorities regarding information security and related incidents.
    • Employees are responsible for the confidentiality, integrity, and availability of their files used for work purposes. Any changes made to their files without their consent are to be reported to the Mt. Hood Community College IT Department immediately.  Shared files will be an exception to this guideline.
    • Users agree to cooperate with Mt. Hood Community College management and/or any regulatory agency conducting an authorized, reasonable internal security investigation.

    Acceptable Use Standards and Restrictions

    All parties governed by this Regulation must adhere to the following acceptable use standards and restrictions:
    General Network, System, and Application Standards and Restrictions
    The following activities related to general network, system, and application access and use is prohibited by Mt. Hood Community College unless part of normal Mt. Hood Community College business operations or without proper approval from Mt. Hood Community College IT Department:

      • Revealing or publicizing sensitive information which includes, but is not limited to: confidential financial information, confidential student information, databases and any information contained therein, computer software source codes, computer/network access codes, business relationships, Mt. Hood Community College computer security or virus activity, etc.
      • Leaving systems or applications unlocked when unattended
      • Connecting unauthorized hardware, systems, or devices to Mt. Hood Community College-owned enterprise networks or systems
      • Installing unauthorized software on Mt. Hood Community College-owned systems
    • Any attempt to negate or circumvent Mt. Hood Community College security controls, policies and procedures (e.g., disabling virus protection or tunneling a protocol through a firewall). Use of tools that compromise or bypass security controls (e.g., computer hacking software, password crackers, network sniffers, etc.) except as used by approved personnel as part of an ongoing security program.
    • Unauthorized use, destruction, modification, and distribution of Mt. Hood Community College information.
    • Sabotage, destruction, misuse, or unauthorized system repairs are prohibited on Mt. Hood Community College-owned or managed information systems.
    • Removing any equipment (with the exception of authorized laptops or tablets) or software from Mt. Hood Community College without written authorization from Mt. Hood Community College IT Department.
    • Removing any equipment or software from Mt. Hood Community College for personal use.
    • Using Mt. Hood Community College networks, systems, or applications to solicit non-Mt. Hood Community College commercial ventures, religious or political causes, or for personal gain outside of Mt. Hood Community College.
    • Intentionally interfering with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic, which substantially hinders others in their use of the network.
    • Theft of Mt. Hood Community College resources including sensitive information.
    • Attempting to monitor, read, copy, change, delete or tamper with Mt. Hood Community College data or another employee’s electronic records except where circumstances dictate, e.g., a forensic investigation. Documented permission from Mt. Hood Community College IT Department is required.
    • Use of Mt. Hood Community College networks, systems, and applications, including the internet, email, and voicemail that violates local, state or federal laws, including, but not limited to, accessing, storing, or transmitting information, messages, images, links, etc. that is obscene as defined by contemporary court decisions and including pornography, defamatory content, or a violation of the College’s nondiscrimination and harassment policy.
    • Playing games or excessive streaming of audio or video material not beneficial or related to instruction or Mt. Hood Community College business.

    Email Acceptable Use Standards and Restrictions
    Email and other electronic media may be received from sources outside of Mt. Hood Community College. All electronic mail received from unknown sources could be malicious and carry computer viruses. The following activities related to email access and use are prohibited by Mt. Hood Community College unless part of normal Mt. Hood Community College business operations or without proper approval from Mt. Hood Community College IT Department:

      • Knowingly introducing a computer virus into Mt. Hood Community College networks, systems, or applications.
      • Using another user’s email account or loaning account privileges to others.
    • Forwarding email from unknown origins to Mt. Hood Community College employees or partner organizations except as part of a security investigation or when authorized by Mt. Hood Community College IT Department.
    • Email activity that is threatening.  
    • Sending fictitious messages that could be mistaken for official Mt. Hood Community College statements, marketing, or materials.
    • Sending email anonymously or using aliases
    • Using email to send spam messages (i.e., global send or mail barrage). This includes the forwarding of chain letters, jokes, philosophical or religious “feel-good” Emails, or unverified reports of computer viruses and other “warnings” of the urban legend variety.
    • Using email to send threatening, libelous or derogatory messages.
    • Forging email content (i.e., identification, addresses, etc.).
    • Altering the content of original messages in a manner that changes the intent or the factual information when forwarding or replying to a message.
    • Forwarding Mt. Hood Community College email containing confidential or highly confidential information to personal email accounts without documented permission from Mt. Hood Community College IT Department.
    • Sending unencrypted confidential or highly confidential information using email.

    Internet Access Acceptable Use Standards and Restrictions
    Employees using Mt. Hood Community College provided internet access are representing Mt. Hood Community College. Employees are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. The following activities related to internet access and use is prohibited by Mt. Hood Community College unless part of normal Mt. Hood Community College business operations or without proper approval from Mt. Hood Community College IT Department:

    • Using the internet for any unlawful activity or for personal gain.
    • Reproducing, distributing, or displaying copyrighted materials without prior permission of the copyright owner, including, but not limited to, text, images, photographs, music files, sound effects, and other legally protected works. Internet users will make full attribution of sources for materials collected from the Internet. Plagiarism or violation of copyright is prohibited.
    • Downloading any software without the documented permission of Mt. Hood Community College IT Department.
    • Representing personal opinions as those of Mt. Hood Community College or purport to represent Mt. Hood Community College when not authorized to do so.
      • Uploading or otherwise transmitting commercial software or any copyrighted materials belonging to either Mt. Hood Community College or third-parties.
      • Internet activities that can be attributed to Mt. Hood Community College domain address (such as posting news to newsgroups, using chat facilities, and participating in mail lists) must not bring disrepute to Mt. Hood Community College.
      • Sending sensitive information using unencrypted data transport mechanisms, e.g., FTP.
      • Use of TOR browsers, private DNS servers and/or private VPN Connections on MHCC devices, unless explicitly approved by Mt. Hood Community College’s IT Security Officer/CIO. 

    All streaming media and applications will be monitored, filtered and rate limited based on the college’s needs at any given time.
    Removable Media Acceptable Use Standards and Restrictions
    The use of removable media and mass storage devices, including, but not limited to, USB flash drives, SD cards, CD/DVDs, external hard drives, etc., to store confidential or highly confidential information is prohibited except when encrypted and approved by the Mt. Hood Community College IT Department.
    File Share Website Acceptable Use Standards and Restrictions
    The college allows the use of authorized internet-based file sharing solution(s) to facilitate information sharing as part of everyday business activities. The use of unauthorized file sharing/data repository services (e.g., Dropbox, iCloud, Google Drive, Box, etc.) to store, access, or transmit Mt. Hood Community College or partner information is strictly prohibited. It is permitted to access information owned by other organizations in their shared tool for the purpose of collaborating. For a list of authorized solutions, please contact the Mt. Hood Community College IT Department.
    Wireless Networking Acceptable Use Standards and Restrictions
    Wireless networks are provided to Mt. Hood Community College employees to conduct Mt. Hood Community College business. At times, employees will need to connect to non-Mt. Hood Community College wireless networks using Mt. Hood Community College issued mobile devices and other hardware. Employees must adhere to the following requirements related to wireless network use anytime there is a connection to MHCC’s network whether using personal or college-owned device:

    • It is prohibited to share Mt. Hood Community College wireless network access codes, including guest network access codes, with non-Mt. Hood Community College personnel with the exception of vendors, contractors, and legitimate third-party visitors. All exceptions to this Regulation require documented permission from Mt. Hood Community College IT Department.
    • When performing MHCC work off campus and on unsecured public networks, it is required that all connectivity to the Mt. Hood Community College’s network be done through a VPN connection (coffee shops, airports, etc.)
    • Home Wireless Networking

    We strongly encourage employees who access Mt. Hood Community College systems or data on home networks using personal or college devices to utilize the following security best practices:

        • At a minimum, use WPA2-AES security protocol for wireless network encryption and access control.

    DO NOT USE WEP OR WPA SECURITY PROTOCOLS

        • Pre-Shared Key (PSK)/wireless network passcode settings should meet the following minimum-security requirements:
          • Factory Passcode: Change
          • Minimum Length: 24 characters
          • Complexity: Utilize each of the following: upper and lowercase characters, numerals, special characters (including spaces)
        • Modem and router administration utility/webpage passcode settings should meet the following minimum-security requirements:
          • Admin Username: Change from default
          • Minimum Length: 15 characters
          • Complexity: Utilize each of the following: upper and lowercase characters, numerals, special characters (including spaces)

    Note: The modem/router administration utility passcode should differ from the wireless network passcode

        • If available, enable MAC filtering or whitelisting to ensure only authorized devices can access the home network
        • The PSK should be changed on a regular basis
        • A separate “guest” network should be enabled and follow the aforementioned PSK passcode setting requirements
        • Enable wireless network firewall capabilities
        • Disable UPnP
        • Enable logging
        • Update modem and router firmware periodically

    Remote Access Acceptable Use Standards and Restrictions
    Remote access users are expected to ensure the protection of Mt. Hood Community College networks, systems, applications, and information.  The following activities are prohibited when remotely accessing MHCC systems:

    • Connecting to Mt. Hood Community College networks, systems, and applications using unapproved systems or devices.
    • Allowing any unauthorized person to either remotely access or access an active remote session to Mt. Hood Community College networks, systems, and applications.
    • Sharing remote access authentication codes with anyone.
    • Remote access authenticated sessions must be secured at all times and not left unattended.
    • Connecting to any other network while remotely connected to Mt. Hood Community College networks, systems, or applications, with the exception of personal networks that are under the complete control of the user.
    • All systems used to remotely connect to Mt. Hood Community College networks, systems, and applications must have up-to-date antivirus/antimalware/antispyware software enabled and the latest security patches installed.

    Authentication Code (Password) Acceptable Use Standards and Restrictions
    Authentication codes (usernames, passwords, tokens, certificates, wireless passcodes, etc.) are the primary access control to Mt. Hood Community College networks, systems, and applications and, as such, must be protected from unauthorized disclosure. Users of Mt. Hood Community College networks, systems, and applications must create strong, complex, and difficult-to-guess authentication codes.

      • Sharing authentication codes (e.g., usernames, passwords, tokens, wireless passcodes, etc.) to Mt. Hood Community College-owned networks, systems, and applications or networks, systems, and applications used by Mt. Hood Community College as part of normal business operations with anyone is prohibited, including supervisors and IT staff. Immediately report any requests to share authentication credentials to supervisors or senior management.
      • Authentication codes may only be stored in properly encrypted files or, preferably, password storage vaults.
    • Writing down authentication codes is strictly prohibited and may be grounds for disciplinary action.
    • To mitigate the risk of unauthorized network, systems, or application access, authentication codes should conform to specific criteria as outlined in the internal guidelines at the following Link:  https://home.mhcc.edu/InformationTechnology/PasswordStandards.aspx

     
    Note: Mt. Hood Community College understands that some systems and applications do not support long or complex authentication codes. In these cases, users must create the longest and most complex authentication codes permissible by the system or application.

      • Users should never:
        • Use dictionary-based words or names, dates, locations, etc. associated with your personal life
        • Use the same authentication code for multiple websites or applications
        • Use the same authentication code construction method for multiple websites or applications if authentication codes only vary by a few characters
        • Store authentication codes in unencrypted and non-password-protected electronic files
        • Answer security questions accurately
      • If you suspect any authentication code has been compromised, you must change the authentication code and notify the Mt. Hood Community College IT Department immediately.
      • Authentication codes to Mt. Hood Community College networks, systems, and applications that allow code reset using email may only be performed using Mt. Hood Community College email accounts.

    Mobile Device Acceptable Use Standards and Restrictions
    Mobile Devices include, but are not limited to, laptop computers, MiFi devices, smartphones, tablets, cellular phones and any other “smart device”. Employees must adhere to the following requirements related to accessing MHCC data/systems/network on a mobile device whether personally owned or college-owned:

    • Mobile devices must have authentication configured to a minimum standard of:
      • 6-character authentication code (smartphones, tablets)
      • 8-character authentication code – complex (laptops)
    • Unauthorized users are not allowed access to Mt. Hood Community College-owned mobile devices, including family members.  This includes personally owned devices while connected to MHCC systems or data.
    • Mobile devices must not be left unattended unless properly secured. Vehicles are not considered secure areas and, as such, mobile devices must never be left visibly unattended in vehicles.  If a device must be left in a vehicle, it must be in a locked trunk or compartment.
    • Mobile device users must use caution when accessing mobile devices in public and be aware of social engineering and physical security threats, such as shoulder surfing, malicious wireless networks, pickpocketing, confrontational robbery, etc.
    • Never store mobile devices in checked luggage at the airport.
    • Do not share mobile hotspot or MiFi authentication codes with unauthorized, non-Mt. Hood Community College personnel unless authorized by Mt. Hood Community College IT Department.
    • Lost or stolen devices must be reported to the Mt. Hood Community College IT Department as soon as discovered and not more than 24 hours later. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
    • Mt. Hood Community College is not responsible for any costs associated with replacing employee-owned devices.
    • The employee assumes full liability for risks including, but not limited to, the partial or complete loss of data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
    • While every precaution to prevent the employee’s personal data from being lost in the event of remote wipe, it is the employee’s responsibility to ensure personally-owned data is backed up.

    Acceptable Use Regulation Compliance

    Appropriate disciplinary action may be taken up to and including termination for substantiated violation(s) of this administrative regulation.