Acceptable Use Policy

Purpose

The purpose of the Northeast Iowa Community College (NICC) Acceptable Use Policy is to establish acceptable practices regarding the use of NICC information resources in order to protect the confidentiality, integrity and availability of information created, collected and maintained. This policy has been designed for the protection of both individual and institutional interests and published in the spirit of mutual respect and cooperation among all users and stakeholders of NICC computing resources.

Audience

The NICC Acceptable Use Policy applies to any individual, entity, or process that interacts with any NICC information resource. Personnel includes authorized users who access information technology resources under the control of NICC including but not limited to: students; employees; authorized stakeholders; and other authorized users as determined by NICC institutions.

Items referenced in boldface type, example: information resources are defined in Appendix A: Definitions.

Contents

Guiding Principles For The Use Of All College Resources

Purpose of College Computing Resources: Northeast Iowa Community College computing facilities exist to provide computing services to the College community in support of instructional, research, and College business. The guidelines are intended to improve the computing services offered and provide these services in a cost-effective manner.

Academic Freedom: Consistent with other College policies, this policy is intended to respect the rights and obligations of academic freedom. As with all College resources, the NICC community is encouraged to make innovative and creative use of information technologies in support of education and college services. Access to information representing a multitude of views on all issues will be allowed for the interest, information and enlightenment of the NICC community.

Copyright and Non-discrimination: The College policy recognizes that the purpose of copyright is to protect the rights of the creators of intellectual property and to prevent the unauthorized use or sale of works available in the private sector. Also consistent with other College policies, an individual's right of access to computer materials should not be denied or abridged because it is the policy of Northeast Iowa Community College not to discriminate on the basis of race, color, national origin, sex, disability, age (employment), sexual orientation, gender identity, creed, religion, and actual or potential parental, family or marital status in its programs, activities, or employment practices as required by federal and state civil rights regulations. View the full policy at https://www.nicc.edu/aboutnicc/nondiscriminationpolicy/

Cautionary statement: The College cannot protect individuals against the existence or receipt of material that may be offensive to them. Those who make use of electronic communications are warned that they may come across or be recipients of material they find offensive. Those who use email and/or make information about themselves available on the Internet should be forewarned that the College cannot protect them from invasions of privacy and other possible dangers that could result from the individual's distribution of personal information.

Consideration for others: The computing and network facilities of the College are limited and must be used wisely and carefully with consideration for the needs of others and the public nature of the College. Computers and network systems offer powerful tools for communication among members of the community and of communities outside the College. When used appropriately, these tools can enhance dialog and communications. When used inappropriately, however, these tools can infringe on the beliefs or rights of others, or the public purpose for which they were created.

Policy

Acceptable Use

• Personnel are responsible for complying with NICC policies when using NICC information resources and/or on NICC time. If requirements or responsibilities are unclear, please seek assistance from the Information Security Committee or your immediate supervisor.
• Personnel must promptly report the theft, loss or unauthorized disclosure of NICC confidential or internal information through the Information Security-Suspicious Activity Report (https://cm.maxient.com/reportingform.php?NortheastIowaCC&layout_id=5)   and/or the NICC Helpdesk.
• Personnel shall not purposely engage in activity that may:

• Violate the College's Equal Opportunity, Harassment, and Nondiscrimination Policy.
• Degrade the performance of NICC information resources.
• Deprive authorized NICC personnel access to a NICC information resource. 
• Obtain additional resources beyond those allocated.
• Circumvent NICC computer security measures.

• Personnel must not download, install or run security programs or utilities that reveal or exploit weakness in the security of a system. For example, NICC personnel must not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any NICC information resource.
• All inventions, intellectual property and proprietary information, including reports, drawings, blueprints, software codes, computer programs, data, writings and technical information, developed on NICC time and/or using NICC information resources are the property of NICC.
• Use of encryption must be managed in a manner that allows designated NICC personnel to promptly access all data.
• NICC information resources are provided to facilitate company business and must not be used for personal gain.
• NICC information resources must not be used to store personal data such as photos, videos, files, etc. NICC information resources are for business purposes only.
• Personnel are expected to cooperate with incident investigations, including any federal or state investigations.
• Personnel are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used or obtained using NICC information resources.
• Personnel are expected to report all illegal activity and/or violation(s) of College policy via the appropriate report form (incident of concern or information security - suspicious activity).

• The perpetrator may be subject to discipline up to and including termination.
• Illegal activity may be reported to law enforcement.

Access Management

• Access to information is based on "need to know".
• Authorization levels:

• User access levels shall not be greater than that required to conduct college business; i.e. a User who does not conduct system administration on an information resource should not be given system administrator privileges on that information resource.
• Users shall not attempt to obtain a higher authorization level without permission.

• Personnel are permitted to use only those network and host addresses issued to them by NICC CIS and must not attempt to access any data or programs contained on NICC systems for which they do not have authorization or explicit consent.
• All remote access connections made to internal NICC networks and/or environments must be made through approved NICC-provided connections.
• Personnel shall not divulge any access information to anyone not specifically authorized to receive such information.
• Personnel must not share their NICC authentication information, including:

• Account passwords. 
• Personal Identification Numbers (PINs). 
• Security Tokens (i.e. Smartcard). 
• Access cards and/or keys.
• Digital certificates.
• Similar information or devices used for identification and authentication purposes.

Authentication/Passwords

• All personnel are required to maintain the confidentiality of personal authentication information.
• Any group/shared authentication information must be maintained solely among the authorized members of the group.
• All passwords, including initial and/or temporary passwords, must be constructed and implemented according to the following NICC rules:

• Must meet all requirements established in the NICC Authentication Standard, including minimum length, complexity and rotation requirements.
• Must not be easily tied back to the account owner by using things like: user name, social security number, nickname, relative’s names, birth date, etc.
• Should not include common words, such as using dictionary words or acronyms.
• Should not be the same passwords as used for non-business purposes.

• Password history should be kept to prevent the reuse of passwords.
• Unique passwords should be used for each system, whenever possible.
• User account passwords must not be divulged to anyone.  NICC support personnel and/or contractors shall never ask for user account passwords.
• If the security of a password is in doubt, the password should be changed immediately.

Clear Desk/Clear Screen

• Personnel should log off from applications or network services when they are no longer needed.
• Personnel should log off or lock their workstations and laptops when their workspace is unattended.
• Confidential or internal information should be removed or placed in a locked drawer or file cabinet when the workstation is unattended and at the end of the workday if physical access to the workspace cannot be secured by other means.
• File cabinets containing confidential information must be locked when not in use or when unattended.
• Physical and/or electronic keys used to access confidential information should not be left on an unattended desk or in an unattended workspace if the workspace itself is not physically secured.
• Laptops should be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday if the laptop is not encrypted.
• Passwords must not be posted on or under a computer or in any other physically accessible location.
• Copies of documents containing confidential information must be immediately removed from printers and fax machines.

Data Security

• Personnel should use approved encrypted communication methods whenever sending confidential information over public computer networks (Internet).
• Confidential information transmitted via USPS or other mail service, including inter-campus mail delivery, must be secured in compliance with the Information Classification and Management Policy.
• Only authorized cloud computing applications may be used for sharing, storing and transferring confidential or internal information.

• Information must be appropriately shared, handled, transferred, saved and destroyed, based on the information sensitivity.
• Confidential information must be transported either by an NICC employee or a courier approved by Administration.
• All electronic media containing confidential information must be securely disposed of. Please contact CIS/Operations for guidance or assistance.

Email and Electronic Communication

• Auto-forwarding electronic messages outside the NICC internal systems is prohibited.
• Electronic communications should not misrepresent the originator or NICC.
• Personnel are responsible for the accounts assigned to them and for the actions taken with their accounts.
• Accounts must not be shared without prior authorization from NICC CIS, with the exception of calendars and related calendaring functions.
• Employees should not use personal email accounts to send or receive NICC confidential information.
• Any personal use of NICC provided email must not:

• Involve solicitation.
• Have the potential to harm the reputation of NICC.
• Forward chain emails.
• Contain or promote unethical behavior.
• Violate local, state, federal, or international laws or regulations.
• Result in unauthorized disclosure of NICC confidential information.

• Personnel should only send confidential information using secure electronic messaging solutions.
• Personnel should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
• Personnel should use discretion in disclosing confidential or internal information in Out of Office or other automated responses, such as employment data, internal telephone numbers, location information or other sensitive information.

Hardware and Software

• All hardware must be formally approved by CIS before being connected to NICC networks.
• Software installed on NICC equipment must be approved by CIS and installed by NICC CIS personnel.
• All NICC assets taken off-site should be physically secured at all times.
• Employees shall not allow family members or other non-employees to access NICC information resources.

Internet

• The Internet must not be used to communicate NICC confidential or internal information, unless the confidentiality and integrity of the information is ensured and the identity of the recipient(s) is established.
• Use of the Internet with NICC networking or computing resources must only be used for business/educational-related activities. Unapproved activities include, but are not limited to:
• Access to the Internet from outside the NICC network using a NICC owned computer must adhere to all of the same policies that apply to use from within NICC facilities.

Mobile Devices and Bring Your Own Device (BYOD)

• The use of a personally-owned mobile device to connect to the NICC internal network is a privilege granted to employees only upon formal approval of CIS.
• Mobile devices that access NICC email should have multi factor authentication or other authentication mechanisms enabled.
• Confidential information should only be stored on devices that are encrypted in compliance with the NICC Encryption Standard.
• NICC confidential information should not be stored on any personally-owned mobile device.
• Theft or loss of any mobile device that has been used to create, store, or access confidential or internal information must be reported through the Information Security-Suspicious Activity Report (https://cm.maxient.com/reportingform.php?NortheastIowaCC&layout_id=5) and/or the NICC Helpdesk.

• NICC CIS may choose to execute “remote wipe” capabilities for CIS issued mobile devices without warning as specified in the Mobile Employee Endpoint Responsibility Policy. 
• In the event that there is a suspected incident or breach associated with a mobile device, it may be necessary to remove the device from the personnel’s possession as part of a formal investigation.
• All mobile device usage in relation to NICC information resources may be monitored, at the discretion of NICC CIS.
• NICC CIS support for personally-owned mobile devices is limited to assistance in complying with this policy.  NICC CIS support may not be able to assist in troubleshooting device usability issues.
• Use of personally-owned devices must be in compliance with all other NICC policies.
• NICC reserves the right to revoke personally-owned mobile device use privileges in the event that personnel do not abide by the requirements set forth in this policy.

Privacy

• Information created, sent, received, or stored on NICC information resources are not private and may be accessed by NICC CIS employees at any time, under the direction of NICC executive management and/or Human Resources, without knowledge of the user or resource owner.
• NICC may log, review, and otherwise utilize any information stored on or passing through its information resource systems.
• Systems Administrators, NICC CIS, and other authorized NICC personnel may have privileges that extend beyond those granted to standard business personnel.  Personnel with extended privileges should not access files and/or other information that is not specifically required to carry out an employment related task.

Removable Media

• The use of removable media for storage of NICC information must be supported by a reasonable business case.
• Personally-owned removable media use is not permitted for storage of NICC information.
• Confidential and internal NICC information should not be stored on removable media without the use of encryption.
• The loss or theft of a removable media device that may have contained NICC information must be reported through the  Information Security-Suspicious Activity Report (https://cm.maxient.com/reportingform.php?NortheastIowaCC&layout_id=5) and/or the NICC Helpdesk.

Social Media

• Communications made with respect to social media should be made in compliance with all applicable NICC policies.
• Personnel are personally responsible for the content they publish on any social media outlet
• Only personnel, whom External Relations has granted administrative rights to, is allowed to post from or make comments from an official NICC social media account.
• Creating any public social media account intended to represent NICC, including accounts that could reasonably be assumed to be an official NICC account, requires the permission of the External Relations Department.
• When discussing NICC or NICC -related matters on your personal social media accounts, you should:

• Identify yourself by name.
• Identify yourself as an NICC representative.
• Make it clear that you are speaking for yourself and not on behalf of NICC, unless you have been explicitly approved to do so.

• Personnel should not misrepresent their role at NICC.
• When publishing NICC -relevant content online in a personal capacity, a disclaimer should accompany the content.  An example disclaimer could be; “The opinions and content are my own and do not necessarily represent NICC’s position or opinion.”
• Content posted online should not violate any applicable laws (i.e. copyright, fair use, financial disclosure, or privacy laws).
• Content posted should not violate any NICC policy.
• Confidential information, internal communications and non-public financial or operational information may not be published online in any form.
• Personal information belonging to customers may not be published online.  
• Personnel approved to post, review or approve content on NICC social media sites must follow the NICC Social Media Procedures.

Voice Mail

• Personnel should use discretion in disclosing confidential or internal information in voice mail greetings, such as employment data, internal telephone numbers, location information or other sensitive information.
• Personnel must not access another user’s voicemail account unless it has been explicitly authorized by an appropriate supervisor.

Incidental Use

• As a convenience to NICC personnel, incidental use of information resources is permitted. The following restrictions apply:

• Incidental personal use of electronic communications, Internet access, fax machines, printers, copiers, and so on, is restricted to NICC approved personnel; it does not extend to family members or other acquaintances.
• Incidental use should not result in direct costs to NICC.
• Incidental use should not interfere with the normal performance of an employee’s work duties.
• No files or documents may be sent or received that may cause legal action against, or embarrassment to, NICC or its customers.

• Storage of personal email messages, voice messages, files and documents within NICC information resources must be nominal.
• All information located on NICC information resources owned by NICC may be subject to open records requests, and may be accessed in accordance with this policy.

Disclaimer

NICC does not warrant that the functions or services performed by or that the information or software contained on the College’s technology resources will be kept confidential, meet the user’s requirements or that resources will be uninterrupted or error-free or that defects will be corrected. NICC does not make any warranties, whether expressed or implied including, without limitation, those of merchantability and fitness for a particular purpose, with respect to any technological products or services or any information or software contained therein.

Definitions

See Appendix A: Definitions

Waivers

Waivers from certain policy provisions may be sought following the NICC Waiver Process.

Exemptions

Exemptions from certain policy provisions may be sought.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.  

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Version History