Acceptable Use of Information Technology - Authentication, Passwords, VPN, and Network Security
1. Authentication
1.1. Multi-factor Authentication (MFA) is an account access security tool used by the Pierce College District (hereinafter referred to as "District") that requires students and employees to validate that they are the authorized user logging into accounts and resources. This can be accomplished in a number of ways, including but not limited to one-time user numerical codes, biometrics, and registered and approved hardware devices. This security method adds an extra layer of protection to safeguard accounts, data, and network resources and workstations.
2. Password Protection
2.1 In accordance with RCW Chapter 43.105 Washington Technology Services, password protection is a risk management issue. The sharing of passwords creates unauthorized pathways into the network and data systems. By sharing any password, you create the potential that sanctions may be brought against you and any unauthorized user.
2.2 Approaches to password security include and are not limited to the following:
2.2.1 Never write down your password.
2.2.2 Follow system specific password requirements.
2.2.3 Never share your password with anyone; if your password is compromised, immediately change it.
2.2.4 Breaches of password security for District employees must be reported immediately to the user(s) supervisor and the District IT Security team.
2.2.5 Passwords for all logins should all be complex and different. Use of a password manager is highly recommended.
3. Virtual Private Network (VPN)
Access to the District’s VPN tunnel requires the Telework/VPN Application to be submitted and approved by your supervisor and the acceptance and approval of the District telework policy and procedure process. Additional requirements to those listed below may be required to gain access to the District’s VPN tunnel.
3.1 Whenever available, use a District-issued laptop when conducting any work-related activities, especially when connecting to the District’s VPN tunnel as the District VPN safeguards and encrypts traffic while in use.
3.2 Do not download any District data, especially sensitive or confidential data, to your personal computing device(s).
3.3 Save files and data to network shares and supported cloud services (OneDrive through Microsoft 365) and not locally to a personal device or to an unsanctioned third-party app. Dropbox, Google, and other third-party storage solutions are strictly prohibited without District IT approval.
3.4 District assumes no liability for loss, damage or wear to your personal computer, network, or related equipment.
3.5 Work-related Information or data accessed and/or stored on your personal computer or mobile device may be subject to discovery in legal action or public records requests. The presence of District data on your device may make it subject to search, analysis and retrieval by District staff to meet the District’s obligations to fulfill these requests.
3.6 Only connect to secure, password-protected, and trusted internet networks when connecting to the District’s VPN service or accessing District data.
3.7 While connected to the District's VPN, do not access sites or programs for personal use.
3.8 Disconnect from the District’s VPN service whenever you are done using it to access network resources or to remote desktop into an on-campus computer.
3.9 Breaches of District VPN security for employees must be reported immediately to the employee’s supervisor and the District IT Security team.
4. Network Security
In accordance with the Communications Assistance for Law Enforcement Act (CALEA), the District is identified as a Private Network.
4.1 District Internet – The District's internal wired and wireless networks are a private network that is provided exclusively to its students, employees, staff, visitors, conference attendees, invitees, and others involved in campus life and the academic community.
4.2 District Library Networks – The District Library’s Internet is a private network that is provided exclusively for the benefit of students, employees, staff, visitors, conference attendees, District invitees, and others involved in campus life and the academic community, as well as members of the public. Access may only be had at campus library facilities or through a user access code.
4.3 All District computers are configured to automatically lock after 15 minutes of inactivity. Users logged into a District computer or mobile computing device should lock the device, requiring authentication in order to resume, when stepping away for any length of time.
4.4 Unauthorized broadcasting of wireless access mirroring or mimicking official District wireless SSIDs is strictly prohibited.
4.5 Suspected breaches of network security for District employees must be reported immediately to the employee’s supervisor and the District IT Security team.