GENERAL TOPIC: Computing and Communications Systems

SUBJECT: Computer Information Systems Resources (CISR) Acceptable Use

Procedure Status: Revised Date: 6/2023

1. Purpose

The Pierce College District (henceforth referred as “District”) encourages free and open inquiry in an effort to further individual learning. To facilitate this inquiry, the District makes available a variety of computer hardware, software, related technology and links to information systems. This procedure is offered with the intent of balancing limited resources with the spirit of open access and inquiry in compliance with state and federal laws, security, and ethical requirements. This document and related procedures are designed to guide all District users in the acceptable use of District Computer Information Systems Resources (CISR).

2. Scope

This procedure provides general direction for all CISR users. The complexity of the subject matter and the diversity of the District are an acknowledgment. Therefore, individual organizational entities within the District are encouraged to develop location specific guidelines and procedures. The Information Technology Security Team, with review by the District Technology Council, must approve individual organizational guidelines and procedures before implementation. All guidelines and procedures must be consistent with CISR Acceptable Use Policy, Administrative Procedure, and District educational outcomes.

3. User Rights and Responsibilities

3.1. Users are granted access and privileges to CISR according to their role (employee, student, community member/guest, volunteer, intern, contractor, etc.) in the District.

3.2. To provide a predictable and secure computing environment, users will adhere to both the letter and spirit of this district policy and its related procedures, state and federal laws, and the common sense standards of courtesy and civility. Failure to comply may result in loss of information access privileges and/or other penalties.

3.3. Users have the right to appeal suspension of services. Request for reinstatement of suspended services must be submitted in writing within 7 days of the start/notice of suspension. The appeal process will include the supervisor of record, unit administrator, and the Chief Information Officer (CIO). All final decision(s) rest with the CIO.

3.4. Users are responsible for checking policies and procedures whenever changes are announced or when they return from an extended leave. Users acknowledge that the District accepts no responsibility or liability for the specific acts of individuals that violate this or any applicable law, policy or procedure.

3.5. Users with authorized password access will be required to sign a CISR Acceptable Use Agreement, which will be retained by the District IT/HR/other.

4. District Rights & Responsibilities

4.1. The District reserves all rights to and control of electronic information systems, facilities, and accounts owned or operated by the District, while adhering to the principle of open access to information necessary to our student educational mission. The District does not restrict access to information based upon its content unless otherwise prohibited by law.

4.2. There may be circumstances that warrant access to individual data files or system resources without the consent of the user. Access without a user’s consent occurs only when written or verbal approval is received from an appropriate president or vice president, to include but not limited to the following:

4.2.1. When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise to preserve the integrity of the District CISR and systems

4.2.2. When required by federal, state, or local law or rules

4.2.3. When there are reasonable grounds to believe that a violation of law or a significant breach of District policy has occurred

4.2.4. When there are reasonable grounds to believe that access and inspection or monitoring will produce evidence considered misconduct by students or employees

4.2.5. When such access to CISR is required to carry out essential business functions of the District

4.2.6. When required to preserve public health and safety

4.3. In order to carry out administrative functions, the District CIO or designee is authorized to:

4.3.1. Suspend service. The CIO will provide written notification with cause of suspension of service to the user, supervisor of record and unit administrator.

4.3.2. Limit or restrict individual use and hours of operation.

4.3.3. Inspect, copy, or remove data files or system resources.

4.3.4. Conduct routine monitoring and logging of activities for maintenance and security on the network systems.

4.3.5. Publish system backup and backup retention schedule.

4.4. The District makes no warranties, whether implicitly expressed or otherwise implied, for CISR or services. The District will not be liable, in any event, for incidental or consequential damages, direct or indirect, resulting from the use of CISR or services. This includes but is not limited to loss of data, a breach of security, or the transmission of misinformation. The District cannot guarantee that messages or files are private and secure.

4.5. The District cannot protect individuals against the existence or receipt of material that may be offensive to them. As such, those who make use of electronic communications are cautioned that they may encounter or be the recipients of material they find offensive or objectionable in nature or content.

4.6. Files stored on District systems may be subject to disclosure under the State Public Records Act (RCW 42.56). In addition, the District will cooperate with a court order such as warrant or subpoena. This may include archives of electronic mail sent or received.

4.7. All System and Network Administrators will be required to sign an Ethics Agreement, which will be retained by the District (see Systems Network Administrations form)

5. Compliance Procedures

5.1. Password Protection

5.1.1. In accordance with RCW Chapter 43.105 Consolidated Technology Services Agency, password protection is a risk management issue. The sharing of passwords creates unauthorized pathways into the network and data systems. By sharing any password with a confidant, you create the potential that sanctions may be brought against you and the unauthorized user.

5.1.2. Approaches to password security include and are not limited to the following:

5.1.2.1. Never write down your password.

5.1.2.2. Periodically change your password. (See FAQs for assistance)

5.1.2.3. Follow system specific password requirements.

5.1.2.4. Never share your password with anyone; if your password is compromised, immediately change it.

5.1.2.5. Breaches of password security for District employees must be reported immediately to the user(s) supervisor and the District IT Helpdesk.

5.1.2.6. If you need to keep a written record of passwords, store it in a secure place that only you know the location.

5.1.2.7 Participate in multi-factor authentication (MFA) methods whenever available.

5.2. Use of Computer Information Systems Resources (CISR)

5.2.1. CISR are provided to improve communication and information transference across the District.

5.2.2. Sending commercial advertising, promotional material or other forms of solicitation is prohibited by law and by District policies. (Use of State Resources) WAC 292-110-010.

5.2.3. The CIO or designee is responsible to communicate District policies and use of state resources to individuals, email groups, and other administrators to ensure compliance.

5.2.4. Limitations or restrictions may be placed upon CISR, including but not limited to storage space, time limits, or amount of resources consumed to ensure fair access for all users.

5.3. Computer Systems Modifications

5.3.1. Modification of computer hardware and software requires coordination with IT department.

5.3.2. Unauthorized system modifications are prohibited. Such restrictions are designed to ensure system integrity. These include but are not limited to the following:

5.3.2.1. Unauthorized installation/removal of hardware and/or software

5.3.2.2. Unauthorized access into network and/or system resources

5.3.2.3. Deliberate introduction of invasive computer software such as viruses.

5.3.3. Any installation of shareware or freeware must be accompanied by a written acknowledgement to the IT Department and will be a coordinated effort between the IT Department and the requestor.

5.3.4. Unauthorized modifications requiring an IT fix will be paid for by the appropriate department’s budget.

5.4. Software Licensing

5.4.1. It is the responsibility of the user to know, understand, and abide by all licensing agreements of software utilized. See EDUCOM Code for more information and to review the policy.

5.4.2. All software licenses and the original media purchased by the District will be retained by the IT Department or individual organizational entities approved by IT according to software licensing standards. It is the responsibility of IT to maintain a District Software Catalog to provide technical and resource support.

5.4.3. Unauthorized copying of software is illegal. Copyright laws protect software authors and publishers.

5.4.4. Shareware and freeware may become District resources once they have been approved by IT.

5.5. Network Security

In accordance with the Communications Assistance for Law Enforcement Act (CALEA), the Pierce College District is identified as a Private Network.

5.5.1. District Internet – The College’s internal wired and wireless networks are a private network that is provided exclusively to its students, employees, staff, visitors, conference attendees, invitees, and others involved in campus life and the academic community. Access may only be had at campus facilities or through a user access code.

5.5.2. District Library Networks – The College Library’s Internet is a private network that is provided exclusively for the benefit of students, employees, staff, visitors, conference attendees, college invitees, and others involved in campus life and the academic community, as well as members of the public. Access may only be had at campus library facilities or through a user access code.

5.6. Data Security & Protecting the Confidentiality of Private Information

Transporting or sending sensitive or confidential information – e.g., financial, personal, FERPA or HIPAA protected data -- is risky unless it is done in a secure environment. Each user must take steps to protect the confidentiality of electronic transfers, fax transmissions, and storage. All members of the Pierce College community who have access, or come into contact with protected sensitive/confidential information are governed by external agency guidelines for compliance purposes, others must understand the nature of the information and evaluate their actions in order to be consistent with the Pierce College policy for safeguarding information.

5.6.1 Data Classification Definitions & Requirements

Pierce College IT uses the data classifications outlined in the Office of the Chief Information Officer (OCIO) Policy 141.10, Securing Information Technology Assets Standards, as listed below:

Category 1 – Public Information (would give to anyone making a public records request)

Public information is information that can be safely transferred electronically, and released to the public. It does not need protection from unauthorized disclosure.

Public Information data includes the mission/vision/values of an agency, information related to obtaining services, staff phone numbers and work email addresses, budget information, and FERPA “directory information” designated at Pierce College as FERPA information at level 1.

Electronic transfer of data in this classification is not restricted.

Category 2 – Sensitive Information (subject to Public Disclosure)

Sensitive information may not be specifically protected from disclosure by law and is for official internal use. Sensitive information is generally not released to the public unless specifically requested.

Sensitive data should not be transferred outside the Pierce College network electronically unless on password protected media. You must be specifically authorized to transfer such data outside the college. Transfer inside the Pierce network is allowed. Specific examples include, but are not limited to:

  • Certain personnel records – e.g., misconduct records subject to public disclosure
  • Public Employee Financial information, but not salaries as this is public information
  • Employee Identification Number (EMPLID)
Category 3 – Confidential Information (exempt from Public Disclosure)

Confidential information is information that is specifically protected from disclosure by law. It may include but is not limited to:

  • Certain personal information about individuals, regardless of how that information is obtained
  • Certain information in employee personnel records
  • Information regarding IT infrastructure and security of computer and telecommunications systems

Confidential Information data includes personal network user information, data related to IT security, employee and student personal information such as home address, phone number, personal email address, including information designated as Pierce College FERPA levels 2 & 3.

This category of data can be transferred internally, with appropriate care – e.g., marked in email as confidential or private, or via secure network folders where everyone with access is authorized to see the data. Confidential data may only be transferred outside the college via password protected media. You must be specifically authorized to transfer such data outside the college.

Specific examples include, but are not limited to:

  • Personnel records. – e.g., Evaluations
  • Employee personal Information – e.g., home address, home email, home phone
  • Student identification numbers
  • Student email addresses

Note: Student email, personal email, or Pierce Microsoft Office 365 Email is not considered internal transfer.

Category 4 – Confidential Information Requiring Special Handling (exempt from Public Disclosure + other legal protections – e.g., FERPA, HIPAA, PCI, etc.)

Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:

  • Especially strict handling requirements are dictated, such as by statutes, regulations, or agreements.
  • Serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions.

Confidential Information Requiring Special Handling includes employee or student information such as social security number, date of birth, etc., and information designated as Pierce College FERPA level 4.

Specific examples include, but are not limited to:

  • Banking/Financial Account information, Credit Card Numbers
  • Employee and Student Social Security Number
  • Date of birth
  • Academic records of matriculated students
  • Educational records protected by FERPA
  • Medical Records, including psychological/counseling records

5.6.2. Data Handling Guidelines

5.6.2.1. All categories of Data shall be stored in as few places as possible and duplicated only when necessary.

5.6.2.2. Protected data must be stored on central administrative systems only. Exceptions must be approved in writing by the Vice President of Administrative Services.

5.6.2.3. Identify and inventory the data under your control that is external to central administrative systems. Know where you have data and in what form (electronic, paper, etc.). Purge or delete data files in a timely manner. That is, keep data you control "cleaned up". Data on your workstations, network drives, zip drives, backup tapes, etc., should be reviewed and purged/archived, properly and securely destroyed, or moved to a more secure location.

5.6.2.4. Do not save or copy protected data to local workstation or network drives, unless such data is not available on the centralized systems. If you must store data on the local workstations, teleworking computer, or personal network drives, it is your responsibility to ensure your workstation is secure and/or ensure that only authorized individuals have access.

5.6.2.5. Do not use shared network drive(s) to store or exchange data internally or externally unless you are certain that the access to those shared drive resources is restricted to individuals authorized to access such data. For example, do not put anything sensitive or confidential on what is currently the S: drive, unless folder access is limited to those authorized to access the sensitive data.

5.6.2.6. Do not send, or store any sensitive data via the Internet using e-mail, under any circumstances. E-mail via the Internet is not secure.

5.6.2.6.1 Social Security numbers and personal financial information must not be sent to any recipient via any unsecure message system. This prohibition includes email, voicemail, and text messaging systems to other Pierce employees. Exceptions must be approved in writing by the Vice President of Administrative Services, or designee.

5.6.2.7. Under no circumstances should credit card numbers be collected and stored on portable data storage devices, digital media, or paper media. Processing credit card numbers should be done via secure methods, which authorize or deny the transaction in real time. Exceptions must be approved in writing by the Vice President of Administrative Services or his/her designee.

5.6.2.8. Transmission of any sensitive data must be encrypted. Websites using protocols such HTTPS or SSL are encrypted sites. Virtual Private Network (VPN), FTP, or any other means of transferring files and data must use secure industry standard versions of these protocols. When in doubt, contact the IT help desk.

5.6.2.9. Users may transfer sensitive college data only with written authorization from Vice President of Administrative Services. If approved, such files must be password protected or assembled in password protected folders to safeguard materials on District-owned or personally owned portable data storage devices, such as flash drives or DVD/CD media.- e.g. zip drives, flash drives, CD-ROM, etc.

5.6.2.10. If a portable computer is the user's primary computer, any sensitive data transferred to the computer for use in day-to-day operations must be removed prior to taking the computer off campus. Exceptions must be approved in writing by Vice President of Administrative Services.

5.6.2.11. Fax transmissions over telephone lines are secure if appropriate safeguards exist when faxing sensitive information –i.e., make sure the fax recipient number is correct, and take steps to ensure the fax is not left in an unsecured area on the sending or receiving end. Fax transmissions involving computer networks only are not secure and the user must not include sensitive information. Using a network-based fax system that sends external faxes via telephone lines is secure, if the Pierce data folders are configured to be secure.

5.6.2.12. Users should exercise care when sending or transferring any sensitive or confidential information. In the case of email, it is recommended you add the following privacy notice to the bottom of any email that contains confidential information:

“Email Electronic Privacy Notice: This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.”

5.6.3. Data Breach Handling Guidelines

5.6.3.1. All breaches, compromises, or unauthorized/unexplained access of protected sensitive or confidential data (Category 2, 3 & 4) must be reported immediately to the CIO or I.T. Security Administrator directly, or via contacting the Helpdesk.

5.6.3.2. The CIO or I.T. Security Administrator must report all breaches of sensitive or confidential data to the Risk Manager, Vice President of Administrative Services.

6. CISR Advisory Committee Responsibilities (CISRAC)

6.1. Interpret CISR policy/procedure.

6.2. Review CISR policy/procedure at least every two years and as required to address CISR emerging issues

6.3. Review and approve guidelines and procedures of individual organization entities before implementation.

Resources

Review/Revision History

Date Change Reference Section Revised By Approved By
6/16/2023 Updated Resource Links Resources Gayle Rambeau David Bilbrey
11/14/2022 Updated Resource Links Resources Gayle Rambeau David Bilbrey

9/16/2022

Corrected duplicate entry

5.6.1

David Bilbrey

 

8/31/2022

Minor adjustments

5.1

David Bilbrey

 

6/17/2021

Updated Resource Links

Resources

Gayle Rambeau

Mike Stocke

3/26/2021

Finalized draft for publication

All

David Bilbrey

 

3/15/2021

Document reviewed by Tech Council and suggestions provided to IT Security

All

Angelica Margullis

Technology Council

11/30/2020

Minor adjustments

All

David Bilbrey

 

1/16/2020

Revisions and updates as necessary to entirety of document, applicable hyperlinks and resources

Entire document

David Bilbrey

 

1/12/2016

Combined 5.6.2.6.1 and 5.6.2.6.2 and adjusted format

5.6.2.6.1
5.6.2.6.2

Kris Nelson

Technology Council

1/11/2016

Added specifics about the transmission of sensitive data and financial information

5.6.2.6.1
5.6.2.6.2

Katherine Adler

Technology Council

4/4/13

Changed Dean of Technology to CIO throughout the document to reflect change in job title.

 

Kathy Parhomski

 

3/15/13

Fixed bullet numbering in 6.1-6.3

 

Mike Hoelscher

 

3/2012

Approved by Cabinet

5.6

Mike Stocke

Cabinet

2/07/12

In collaboration with HR – Jan B, Deena F. – added more clarification to Data Classifications, added examples for the Data Classifications.

5.6

Mike Hoelscher

 

02/05/12

Updated Data Classifications to align with OCIO Security Standards

5.6

Mike Hoelscher

 

5/31/11

Formatting Changes Only

5.2.3

Kathy Parhomski

 

3/22/11

Revisions to add ISB Data Classification categories, minor document wording changes related to the actual ISB Data Classification wording.

5.6

Mike Hoelscher

 

10/13/10

The Dean of Institutional Technology or designee is responsible to ensure compliance

5.2.3

Kathy Parhomski

 

7/30/07

Review recommended new language

5.5 Network Security
5.5.1. District Internet
5.5.2.District Library Networks

CISRAC Committee

Pending

5/16/07

Updated Resource Links

Resources

Kathy Parhomski

Michael Taylor

11/13/06

The Director of Network and Web Administration or designee is responsible to ensure compliance 

5.2.3

CISRAC

CISRAC