/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies-local.json

/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies.json

Acceptable Use Policy

Introduction

This policy will provide guidance to all users on the proper and acceptable use of Keuka College’s electronic resources. The technology resources at Keuka College include, but are not limited to, all networking, hardware and software, internet access, email, telephone equipment, and voicemail. These services are provided to support the activities of the organization and should be used for those purposes.

• Use should always be legal, ethical, and consistent with Keuka College's general standards for community behavior.

• Use of Keuka College’s technology resources or data for personal business, political campaigning, or for commercial use is prohibited, except as authorized by Keuka College.

Scope

This policy applies to all Keuka College employees, contractors, temporary staff, students, other authorized users who have access to or are responsible for an account on any system or network used for Keuka College business operations. It is the user’s responsibility to read and understand this policy and related policies to conduct their activities in accordance with its terms.

Policy

Except for any privilege or confidentiality recognized by law, individuals have no legitimate expectation of privacy during any use of Keuka College’s technology resources or in any data on those resources. Any use may be monitored, intercepted, recorded, read, copied, accessed, or captured in any manner including in real-time, and used or disclosed in any manner, by authorized personnel without additional prior notice to individuals. Periodic monitoring will be conducted of systems used, including but not limited to: all computer files; and all forms of electronic communication (including email, text messaging, instant messaging, telephones, computer systems, and other electronic records). In addition to the notice provided in this policy, users may also be notified with a warning banner text at system entry points where users initially sign on about being monitored and may be reminded that unauthorized use of Keuka College’s technology resources is not permissible.

Keuka College may impose restrictions on the use of a particular IT resource. For example, Keuka College may block access to certain websites or services not serving legitimate business purposes or may restrict user ability to attach devices to Keuka College’s technology resources (e.g., personal USB drives, external storage devices).

Employees accessing Keuka College’s applications and technology resources through personal devices must only do so with prior approval or authorization from the organization.

Acceptable Use

All uses of information and information technology resources must comply with organizational policies, standards, procedures, and guidelines, as well as any applicable license agreements and laws including Federal, State, local and intellectual property laws.

The acceptable use of information and technology resources includes the following responsibilities:

• Understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information;
• Protecting organizational information and resources from unauthorized use or disclosure;
• Protecting personal, private, sensitive, or confidential information from unauthorized use or disclosure;
• Observing authorized levels of access and utilizing only approved IT technology devices or services; and
• Immediately reporting suspected information security incidents or weaknesses to the appropriate manager and the Associate Vice President of Technical Solutions or designated security representative.

Unacceptable Use

The following list is not intended to be exhaustive but is an attempt to provide a framework for activities that constitute unacceptable use. Users, however, may be exempted from one or more of these restrictions during their authorized job responsibilities, after approval from management, in consultation with Keuka College IT staff (e.g., storage of objectionable material in the context of a disciplinary matter).

Unacceptable use includes, but is not limited to, the following:

• unauthorized use or disclosure of personal, private, restricted, sensitive, and/or confidential information;
• unauthorized use or disclosure of organization information and resources;
• distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate;
• attempting to represent the organization in matters unrelated to official authorized job duties or responsibilities;
• connecting unapproved devices to the Keuka College network or any IT resource;
• connecting organizational technology resources to unauthorized networks;
• installing, downloading, or running software that has not been approved following appropriate security, legal, and/or IT review in accordance with organizational policies;
• connecting to commercial email systems (e.g., Gmail or other email providers for personal use) without prior management approval (Keuka College recognizes the inherent risk in using commercial email services as email is often used to distribute malware);
• using a Keuka College technology resource to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities;
• providing unauthorized third parties, including family and friends, access to the organization’s IT information, resources, or facilities;
• using College IT information or resources for commercial or personal purposes, in support of "for-profit" activities or in support of other outside employment or business activity (e.g., consulting for pay, business transactions);
• propagating chain letters, fraudulent mass mailings, spam, or other types of undesirable and unwanted email content using organizational technology resources; and
• tampering, disengaging, or otherwise circumventing organizational or third-party IT security controls.

Occasional and Incidental Personal Use

Keuka College allows users the occasional, incidental, and necessary personal use of technology resources, provided such use is:

• consistent with this policy;
• does not conflict with any other security policy;
• is limited in amount and duration;
• does not impede the ability of the individual or other users to fulfill the organization’s responsibilities and duties, including but not limited to, extensive bandwidth, resource, or storage utilization.

Exercising good judgment regarding occasional and incidental personal use is important. Keuka College may revoke or limit this privilege at any time.

Individual Accountability

Individual accountability is required when accessing all technology resources and organization information. Everyone is responsible for protecting against unauthorized activities performed under their user ID. This includes locking your computer screen when you walk away from your system and protecting your credentials (e.g., passwords, OTP hardware, or similar technology) from unauthorized disclosure. Credentials must be treated as confidential information and must not be disclosed or shared.

Restrictions on Off-Site Transmission and Storage of Information

Users should not transmit personal, confidential, sensitive, or restricted information over email if it can be avoided. Users must not transmit non-public, personal, confidential, sensitive, or restricted information to or from personal email accounts (e.g., Gmail, Hotmail, Yahoo) or use or use a non-Keuka College email account to conduct Keuka College business unless explicitly authorized. Users must not store sensitive information, restricted organizational, non-public, personal, confidential, sensitive, or restricted information on a non-organizational issued device, or with a third-party file storage service that has not been approved for such storage by the College.

While off-site, devices that contain sensitive information must be attended at all times or physically secured and must not be checked in transportation carrier luggage systems. Any device containing sensitive information, that leaves the Keuka College location requires additional safeguards.

User Responsibility for IT Equipment

Users are routinely assigned or given access to IT equipment in connection with their official duties. Equipment is selected by the IT Department to ensure compatibility with the current technical infrastructure of the College. This equipment belongs to Keuka College and must be immediately returned upon request or at the time an employee is separated from the College. Users are financially responsible for the value of equipment assigned to their care if it is not returned to the College. Should IT equipment be lost or stolen, users must notify IT immediately. Should IT equipment be lost, stolen or destroyed, users are required to provide a written report of the circumstances surrounding the incident. Users may be subject to disciplinary action which may include repayment of the replacement value of the equipment. The organization has the discretion to not issue or re-issue IT devices and equipment to users who repeatedly lose or damage IT equipment.

Use of Social Media

All users are prohibited from publicly posting any personal, confidential, sensitive, or restricted information, unauthorized pictures or information regarding Keuka College or Keuka College employees/students. Even accidental posting of personal, confidential, sensitive, or restricted information may result in criminal penalties.

Unless specifically authorized, employees are prohibited from using organizational email addresses on public social media sites. In instances where users access social media sites on their own time utilizing personal resources, they must remain sensitive to expectations that they will conduct themselves in a responsible, professional, and secure manner with regard to references to the organization and staff. These expectations are outlined below:

a. Use of Social Media within the Scope of Official Duties

Keuka College's designated Public Information Officer (PIO) is the Associate Vice President of Marketing and Communications. The PIO, or designee, must review and approve the content of any posting of public information, such as blog comments, tweets, video files, or streams, to social media sites on behalf of Keuka College. However, PIO approval is not required for postings to public forums for technical support, if participation in such forums is within the scope of the user’s official duties, has been previously approved by his or her supervisor, and does not include the posting of any sensitive information, including specifics of the IT infrastructure. In addition, PIO approval is not required for postings to private, organization approved social media collaboration sites. Blanket approvals may be granted, as appropriate.

Accounts used to manage Keuka College’s social media presence are privileged accounts and must be treated as such. These accounts are for official use only and must not be used for personal use. Passwords of privileged accounts must follow information security standards, be unique on each site, and must not be the same as passwords used to access other technology resources.

b. Guidelines for Personal Use of Social Media

Employees must be sensitive to the fact that information posted on social media sites clearly reflects on the individual and may also reflect on the individual’s professional life. Consequently, employees must use discretion when posting information on these sites and be conscious of the potential perceptions of and responses to the information.

Users must respect the privacy of Keuka College' constituents by not posting any identifying information of any employees or students without permission (including, but not limited to, names, addresses, photos, videos, email addresses, and phone numbers). Users will be held accountable for comments posted on social media sites.

If a personal email, posting, or other electronic message could be construed to be an official communication, a disclaimer is strongly recommended. A disclaimer might be: “The views and opinions expressed are those of the author and do not necessarily reflect those of the organization.”

Users must not use their personal social media accounts for official business unless specifically authorized by the organization. Users must not use the same passwords in their personal use of social media sites as those used on organizational devices and technology resources, to prevent unauthorized access to resources if the password is compromised.

Compliance

Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time. If compliance with this standard is not feasible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the IT department's exception process.

Exceptions

Exceptions to the policy may be granted by the Vice President overseeing the IT Department.