Policy Issue: Acceptable Use of Technology Resources
Policy Statement Code: 7016
Date Adopted: March 2002
Dates Reviewed: Nov. 2007, Jan. 2010, June 2011
Dates Amended: Dec. 2007, Feb. 2010, July 2011
Southwestern Illinois College provides extensive computing and network communications services. These services, known collectively as Information Technology (IT), are part of the campus infrastructure, and their purpose is to support the college’s teaching and public service missions. Technology and information services administered by the college, including any service arrangements that involve resources hosted off-campus, are part of the campus technology environment for the purposes of this policy. Unless explicitly noted, these policies apply to all computing and network communications equipment in all units of the college and to all individuals (employees, students, Persons of Interest, etc.) with access to Southwestern Illinois College computing resources or confidential information… This document addresses issues specific to Southwestern Illinois College computing, data and network usage. Sections 1 through 5 articulate policies regarding individual users of computers, data and networks; sections 6 through 9 summarize administrative protocols for computing and network administrators and should not be construed as creating additional rights for individual users. Other college policies that address specific activities and behaviors, some of which are cited later in this policy, continue to apply to computing, data and network use. Individuals using college computing, data and networking services should be particularly aware of policies that apply to discrimination, harassment, the use of copyrighted materials, and those that apply to the appropriate use of college resources. Computing and network communications are changing rapidly both in terms of technology and application, and the college reserves the right to amend this policy at any time. All members of the college community are given notice of this policy by virtue of its publication, and are subject to it on the same basis. Ignorance of this policy does not relieve anyone of his or her responsibilities under it.
S-Net: the computer and data communications infrastructure at the college. It includes the campus backbone and local area networks, all equipment connected to those networks (independent of ownership), all equipment registered to any domain name owned by the college, and all applications and information services administered by the college (including, but not limited to, eSTORM, PeopleSoft, course management systems, and e-mail).
IT: the college’s Information Technology division.
College units: the various departments and divisions and offices of the college.
Confidential: Southwestern Illinois College information that is non-public or is intended to be non-public. This does not extend to individual faculty members’ course materials. The types of data, level of security, and conditions for release are based on the requirements of applicable laws, regulations, policies, contracts and agreements, respect of privacy and identity information, and other operational needs. For example, an individual’s Social Security Number, a student’s official final grades, and a payee’s credit card account data are all confidential.
Persons of Interest: individuals who have a relationship with the college but with an affiliation other than employee or student. This may include, but not be limited to, contractors and individuals in partner organizations such as food service or bookstore.
3. Underlying Principles
- The principles of academic freedom apply in full to electronic communications. The institution has adopted the academic freedom principles as articulated by the American Association of University Professors and has incorporated these into the faculty memorandum of understanding.
- The use of computing, data and network services provided by the college is subject to all applicable state and federal laws, as well as applicable college policies.
- The definition of types of data includes, but is not limited to voice, data and video that traverse the network infrastructure (S-net), that interface with the Internet, that interface with outside services, and that traverse between authorized external services and S-net.
- All standards of behavior, courtesy, and etiquette that govern vocal and written communications also extend to electronic communications.
- IT is responsible for the design, operation, and management of the computing and network communications services provided. When IT becomes aware of any use of S-Net that violates provisions of college policy, presents a security risk, or degrades services to others, IT may suspend or terminate network access and use and/or notify appropriate disciplinary and/or legal authorities. Where feasible, IT will provide prior notification of actions that affect network use and access. IT’s responsibilities include, but are not limited to:
- The choice of protocols supported by the network,
- The definition of technical standards necessary for efficient operation of the network and for the security of transmitted data and networked computers.
- Delivery paths for network communications including telecommunication lines, switches, hubs, routers, etc.
- Institutional services utilizing network communications
- Application of network management policies adopted by the institution to ensure inter-operability of department local area networks (LANs),
- Monitoring the overall system to ensure the reliability, robustness and security of the college network infrastructure, and
- Serving as the institutional representative to the Internet community, under the auspices of the Chief Information Officer (CIO), and ensuring that the college is a responsible member of that community.
4. Proper and Authorized Use of S-Net
IT is charged with ensuring the integrity of S-Net computers and communications. IT takes active steps to ensure the physical integrity of the infrastructure, including routine monitoring of performance and reliability. While IT does not routinely monitor appropriate use of S-Net by individuals, it will respond to complaints or other notifications of inappropriate use. Units that provide access to S-Net are responsible for ensuring that use is limited to legitimate users and is consistent with college policies and contractual obligations that govern the software and services offered on S-Net. Use of S-Net is a privilege, not a right, which may be suspended or terminated by IT when, in its judgment, this policy has been violated by the user.
- Purpose of S-Net: S-Net exists to support the educational and public service missions of the college, and its use shall be limited to those purposes.
- Appropriate Use of S-Net: All use of S-Net must be consistent with our public, educational status, and any use inconsistent with that status is prohibited. No individual may use S-Net resources for commercial or profit-making purposes or other purposes unrelated to the mission of the college. As with all college computing and network facilities, S-Net may not be used for improper or illegal purposes, such as unauthorized use of licensed software, intentional efforts to breach security, sending unauthorized mass mailing, or the transmission of computer viruses.
- Ownership of Network Identifiers: College-supplied network identifiers (network ID’s), college identification numbers, and computer-sign-ons (UserID’s) are the property of the college. The college may revoke these identifiers or sign-ons at any time.
- Responsibility to Maintain Privacy of Passwords: Passwords, passcodes, or similar authentication information associated with an individual, an individual’s network IDs or computer account shall not be shared without authorization. Compromised passwords may affect not only the individual, but also other users on campus or on the Internet.
- Proper Identity Required: Electronic mail and other forms of electronic communication must carry the proper identity of the sender at all times. Information servers (e.g., Web servers) must display the email address and identity of the unit or person responsible for maintaining the information.
- Appropriate Use of Capacity: As described in Section 9 below, bandwidth both within campus and connecting to the Internet is a shared, finite resource. Computing environments also have finite storage and processing capacity. Users of S-Net must make reasonable efforts to use S-Net resources in ways that do not unreasonably affect others. College units may set guidelines on capacity utilization within their unit for purposes of resource allocation.
- Appropriate Use of Online Services: Internet services such as social networking, audio or video streaming, podcasting, etc. will be used primarily for instructional and institutional needs. Hosting of any Internet Services will be centralized within IT for proactive management. Activities associated with unauthorized hosting of social networking, peer-to-peer networks, video or audio streaming, podcasting, etc. will be suspended promptly upon discovery. If malicious activity is suspected, the appropriate legal, administrative, and Student Conduct processes will be followed.
- Use by Faculty and Staff
- Passwords and College Units: Faculty and staff, including student employees, must not under any circumstances share their passwords with others, even with supervisors. However, when limited access to college-related documents or files is required specifically and solely for the proper operation of college units and where available technical alternatives are not feasible, exceptions may be specifically authorized by IT.
- Use Unrelated to College Positions: Use by college employees unrelated to their college positions must be limited in both time and resources and must not interfere in any way with college functions or the employee’s duties. It is the responsibility of employees to consult their supervisors if they have any questions in this respect.
- Use by Students:
- Responsibility for Passwords: Students must not share their passwords with others, even with friends. Students are responsible for ensuring that their computers are secure from unauthorized use. When working as employees, students are covered under section c) above.
- Appropriate Use of Online Services: Students will comply with institutional guidelines as published in Board Policy and in the Student Rights and Conduct statement.
- Use by Non-College Users: Non-college individuals and organizations may not use S-Net, except as specified by written college contract or that which is intended to be available to the general public, such as the Southwestern Illinois College web site. It is the responsibility of the contracting unit to ensure that content and usage of S-Net adhere to all general college policies and that resources are provided in a secure manner. For purposes of this policy, a contracting organization shall be deemed to be a unit of the college, and designated officials of the organization may exercise the responsibilities of college administrators as described in this policy, except that the contracting organization may not exercise or supersede the authority of the CIO.
- Limited to College-related activities: Legitimate non-college users may use their college provided accounts and Internet access only in conjunction with their authorized college-related activities.
- Authorized Organizations: S-Net resources may be used in support of organizations approved by the CIO. While it is appropriate for the home pages of these organizations to provide some information about external organizations, clubs, commercial entities, etc. S-Net -connected equipment may not be the primary repository for that information.
- College-sponsored External Entities: Any college program that, in the interest of collaboration, wishes to provide an external entity with Internet access or to host non-college materials on an S-Net-connected server must first consult with IT about alternatives and secure approval from the CIO.
5. Protection of Information in Electronic Media
5.1 Status of Information in Electronic Media
Information and data maintained in electronic media are protected by the same laws and policies, and are subject to the same limitations, as information and communications in other media. Confidential information must remain secure from unauthorized access. Before storing or releasing (by email, in collaboration forums, or any other means) confidential or personal information, users should understand that most materials on college systems are, by definition, public records. As such, they are subject to laws and policies that may compel the college to disclose them. The privacy of materials kept in electronic data storage and electronic mail is neither a right nor is it guaranteed.
5.2 Examination of Contents of Electronic Messages, Files, and Other Communications
Unless required by law or authorized administrative approval to do otherwise, IT and unit-level LAN-and systems administrators shall not examine the contents of electronic messages, files, or other communications and shall make every reasonable effort to protect them from unauthorized inspection, subject to the following:
- Contents of Email: The contents of electronic messages might be seen by a system administrator in the course of routine maintenance or in order to dispose of undeliverable messages. In addition, electronic mail systems store messages in files (e.g., the file containing a user’s inbound mail.) These files are copied in the course of system backups, and these backup copies may be kept long after original messages were deleted.
- System Files and Logs: In the course of resolving system performance or security problems, IT and unit-level system administrators may examine the contents of files that control the flow of tasks through the system or that grant unauthenticated access to other systems. This includes systems logs that document some activities of users.
- File and Directory Names: File names and directory names are treated as public information and are not protected.
- Other Communications: In the course of managing or of diagnosing problems in any electronic communication media or system, administrators may examine information about the communications, such as the routing, addresses, or protocols, as well as the contents of communications.
5.3 Process for Requesting Disclosure of Contents of Messages and Files
- Requesting Disclosure: Requests for disclosure must be made in writing through regular reporting channels, consistent with the guidelines below. Requests for disclosure are made to the college Chief Information Officer (CIO), who is assigned the responsibility for implementing this policy and ensuring that the scope of the disclosure is limited to a legitimate college purpose. The CIO carries out these responsibilities in consultation with Legal Counsel and other appropriate offices. The CIO may designate an individual to act on his or her behalf in fulfilling these responsibilities. All authorizations by the CIO or his/her designee will include specifications for the form and timing of notification to the person whose information is accessed or disclosed.
- Action While a Request is Pending. While a request consistent with this process is pending or under consideration, the requesting unit executive officer may ask computer system administrators to take reasonable, necessary steps to maintain, store, or otherwise prevent the deletion or modification of the information being sought. This must be done in such a way as to maintain the privacy of said information until the requested disclosure is reviewed. IT may be able to advise units on appropriate procedures.
- Notification of Affected Individual(s): a) When IT or other authorized unit administrators provide access to, and disclosure of, email messages and/or file content under provisions of external laws, regulations or applications of this college policy, the requesting administrator will normally notify in advance the individual(s) whose information is to be released, indicating the information to be released and the law, regulation or policy that governs the release. If individuals are not notified in advance, the CIO will be responsible for determining when notification is appropriate and for ensuring that appropriate notification is carried out. Circumstances in which notification may be delayed or not performed include, but are not limited to,
(1) the presentation by legal bodies of subpoenas or other instruments prohibiting advance notification,
(2) situations where the safety of individuals is involved, or
(3) investigations or inquiries conducted under published college policies.
- Conditions for Disclosure: In the absence of legally compelled access or disclosure, the CIO is authorized to grant access to a user’s file contents or electronic mail messages, or to give copies of them to any third party within the college only if all the guidelines below are met:
- The access or disclosure is requested in writing through regular college reporting channels, including the unit executive officer of the individual whose information is being disclosed and the next administrator in that reporting chain, and
- The reason for the requested disclosure serves a legitimate college purpose, and
- The disclosure is not invasive of legitimate privacy interests or unreasonable under the circumstances, e.g., in light of alternative means of acquiring the information or achieving the requester’s purpose, and
- The nature and scope of the disclosure is submitted in writing to and approved by the CIO. This request is normally submitted by the approving executive officer indicated above.
5.4 Review of Disclosure
S-Net users whose information is accessed or disclosed under the above provisions should use existing college complaint and/or grievance procedures when concerned about the application of this policy.
5.5 Portable Media and Remote Access
Southwestern Illinois College Confidential data in electronic form must remain secure when it is stored or transported using portable media or remote access.
Portable electronic media is electronic storage that is designed to be easily portable for transport and use. Examples include, but are not limited to, laptop, flash drive (thumb drive, USB drive), PDA, Smartphone/iPhone, iPod, and CD/DVD.
The following provisions apply to Confidential data in portable electronic media, devices, and remote access:
- The security of Southwestern Illinois College data must be maintained at all times. Due to the increased risk of loss or theft, only approved Portable Media may be used for Southwestern Illinois College Confidential data.
- The storage of Confidential data on Portable Media must be limited to that which is necessary for organizational purposes.
- Only approved Portable Media may be used for Southwestern Illinois College Confidential data. Approval may only be granted by the Chief Information Officer or his/her designee. The contact point for approved media and approval requests is the office of the Computer Support Services Director.
- d. The approval criteria for any Portable Media will include a requirement for a sufficient level of encryption. No Portable Media may be used that does not include encryption.
- All user action must be consistent with the objective of maintaining security of Southwestern Illinois College Confidential data and device/media. This includes, but is not limited to, maintaining physical possession of the Portable Media, remembering passwords and keys without writing them down, setting strong passwords, destroying data after use, and promptly reporting to IT or Public Safety any incident related the loss or suspected loss of confidentiality or media.
- No Confidential Southwestern Illinois College data may be stored unencrypted on unapproved media. No encrypted Portable Media may be attached to an unapproved device in a manner that would allow the data to be stored on the unapproved device.
- For the most part, the technologies that will be approved will not include any sort of recoverability system (such as “key escrow”). Encryption technologies have varying levels of recoverability. For some, once the encryption key is set, there is no recovery possible.
- When Portable Media is no longer needed, the Confidential data must be removed completely and made irrecoverable before either re-use or disposal of the media. In some instances, the only means to satisfy this requirement will be physical destruction of the media.
- Southwestern Illinois College Confidential information may only be stored or handled using Southwestern Illinois College-owned devices and equipment or when using non-Southwestern Illinois College-owned devices that have been pre-approved for use and are configured and operated according to Southwestern Illinois College standards.
- In the case of faculty recording of grades prior to submitting the official final grade such homework assignments and tests, that information is the responsibility of the faculty member and it is not Southwestern Illinois College Confidential.
- Upon request from an employee’s management (e.g., for staff, supervisor; for faculty, coordinator or department chair), the employee with access to encrypted Southwestern Illinois College information must provide the information in decrypted form, the means sufficient to decrypt the information, or both.
6. Responsibilities in Managing S-Net
This section outlines responsibilities in managing S-Net that may affect units and individuals.
- Network Design: IT will work with any unit to develop or modify a network to meet unit needs. Needs directly related to the college’s education or public service missions have first claim on resources.
7. Network Design
IT is responsible for the design or approval of departmental local area networks (LANs) that are connected to the campus network and their connections to the campus backbone. The following subsections document policies and procedures relevant to these areas. The term LAN as used here refers to the routers, switches, repeaters, cabling and patch panels, but excludes servers and other computers.
- S-Net Address Space: Only IT-approved domains may be operated within S-Net address space. Publicly accessible Domain Name Servers must be approved by IT before they are placed in service.
- Responsibility for Telecommunications Wiring: IT is responsible for the telecommunications wiring system on the college’s campuses. If portions of this system are used in the construction of a LAN, all such use must conform to institutional standards.
- Local Network Policies: Network administrators and the owners of local networks may develop their own network policies, as long as they are not in conflict with college policies. Unit-level policies may not restrict access to campus services, except where specific security concerns require it, and may not contravene policies stated here.
- Responsibility of Units: Units are responsible for the uses of their local area networks and servers. In particular, units are responsible for ensuring that materials published electronically or otherwise placed on their servers are relevant and appropriate to the unit’s mission.
- Licensing and other Restrictions: Some servers connected to S-Net provide services or software that are restricted by licensing agreements to use by college students, faculty and staff. Some licenses may further limit use to a specific campus or particular units. Servers must be configured such that restricted services or software are accessible only to those who are eligible.
- LAN Administrators: Each LAN must have at least one designated administrator who is responsible for its administration and management, and whom IT may contact if it detects a problem.
8. Network Security
The security functions of commonly used desktops, servers, and communications technologies are often vulnerable, allowing unauthorized access to or viewing of system resources. A security violation on one machine may threaten security of other systems on the network, allowing unauthorized users to disrupt or damage interconnected systems. Because of this, each individual and unit has certain responsibilities to ensure that their systems are reasonably secure. This section describes security-related roles and responsibilities. It also describes circumstances under which S-Net user data can be collected and examined by an individual managing a LAN, server, or system.
- Responsibilities of Network Administrators: It is the responsibility of every network administrator to have expertise sufficient to maintain appropriate levels of security and system integrity on local LANs. IT will document best practices and procedures for maintaining network security and integrity, in consultation with the campus community and peers nationally. IT provides training, consulting, and general support to network administrators.
- Ensuring Integrity of S-Net: In the event that IT judges a LAN to present an immediate risk to the integrity of S-Net equipment, software, or data, or presents a risk to the external network (resulting in potential liability for the college), IT may terminate or restrict the LAN’s network connection without notice. If there is no immediate risk, IT will bring the matter to the attention of the LAN’s network administrator. If IT is unable to resolve the problem at this level, it will contact the unit executive officer or the next level administrator. In addition, if an individual system administrator of a multi-user system determines that an account presents an immediate security risk, he or she may inactivate the computer account without prior notice. The administrator must contact IT in a timely manner to report and discuss the situation. In the course of ensuring the integrity of S-Net and local LANs, IT and system administrators, respectively, may use tools, monitoring hardware and software, and log information as indicated here:
- Security Tools: IT may use tools designed to locate security flaws in equipment connected to the campus network and will take appropriate steps to protect the privacy of data (as provided by this policy) in the process. When IT documents risks to security or network integrity, units are responsible for immediate responses to mitigate or remove the risk. Whether so notified or not, units are responsible for appropriate security with respect to equipment within their LAN.
- Network Monitoring Tools: In order to solve network problems, system administrators may employ software or hardware devices from time to time that capture contents of packets traversing the network, including email, Web, and other services. These monitoring tools will be used to monitor and improve the performance or integrity of the network. They will not be used to monitor or track any individual’s network activity except under the special authorizations provided for under Section 5.
- System Log Files: Managers of systems and network services may log connections to their machines and services made via remote access or S-Net. The information recorded may include the source and destination for a connection, and session start and end times.Operators of multi-user systems may keep logs of activities on their systems. The logs may include login name, timestamps and commands issued. Network administrators may not monitor individual users’ data or files except under special authorizations provided for under Section 5.
9. Bandwidth Guidelines
S-Net and its connections to the Internet are a shared, finite resource. While every effort is made to provide adequate bandwidth for college purposes, bandwidth may not be available for every use.
- New Applications: Extensive use of new applications that require very large amounts of bandwidth on the campus backbone must be discussed with IT beforehand, so that appropriate planning can take place.
- Degrading Network Performance: If use of a computing or network service by a project or individual seriously degrades network service to others, IT will try to help the project or individual obtain the needed service in a way that does not seriously impact others. If a network upgrade is required, the unit or user may be asked to pay all or part of the cost.
- Responsibilities of Network Administrators: Network administrators are responsible for monitoring and managing traffic on their LANs to protect the quality of service from adverse impact by users whose applications require substantial bandwidth or other network resources.
10. Website Usage
This section addresses issues specific to Southwestern Illinois College website usage and is related to: Commercial Advertising, Compliance, Copyright, Links, Logos and Other Trademarks, Nondiscrimination, Personal Business, and Web Accessibility. Institutional Web Pages include: all Web sites using the swic.edu domain (examples: www.swic.edu, fac.swic.edu,estorm.swic.edu), external services (such as for social networking, blogging, micro-blogging), and all web pages representing Southwestern Illinois College to the community.
- Commercial Advertising: Commercial advertising is only permitted on pages published on Southwestern Illinois College Web servers to the extent allowed by other policies. No graphic or text may imply Southwestern Illinois College endorsement of commercial products or services. A disclaimer should be displayed if non-endorsement is not evident from the context (see links- below.)
- Compliance: All official Southwestern Illinois College Web pages that comply with College policies and guidelines will be eligible to display a seal or mark that certifies such compliance.
- Copyright: Copyright laws apply to electronic publishing as well as to print publishing. Publishers must have permission from the copyright owners to copy and display text, graphics, or photographs on their pages. In the alternative, publishers must have a reasonable basis for believing their use of copyright materials of others constitutes fair use or that the materials are in public domain. Electronic publications are subject to the same Southwestern Illinois College policies and standards.
- Links: Links from a Southwestern Illinois College page to any non-college site must not imply College endorsement of the site’s products or services. A disclaimer should be displayed if non-endorsement is not evident from the context. Links that violate this policy must be deactivated.
- Logos and Other Trademarks: The approved college logo must appear on the published entry page (home page) for all college related sites using the swic.edu domain (including intranet sites). For external services and all other web pages representing Southwestern Illinois College to the community, the approved logo may only be used or displayed with the approval of the Public Information and Marketing unit. All pages must also clearly communicate the name of the unit publishing the page. All representations of Southwestern Illinois College or campus names, logos, or other trademarks must conform to Southwestern Illinois College’s Graphics Standards Manual.
- Nondiscrimination: All Web pages must comply with the Southwestern Illinois College’s Board Policy on nondiscrimination.
- Personal Business: Southwestern Illinois College resources may be used to create Web pages about an individual or an individual’s interests but may not be used to create Web pages for personal business, personal gain, or partisan political purposes, except as permitted by the college or by law.
- Web Accessibility: Southwestern Illinois College is committed to making all its electronic information accessible in compliance with applicable state and federal laws and to follow Southwestern Illinois College standards of Web Accessibility.