SP 3-125c
APPROVED: May 1, 2006
EFFECTIVE: May 1, 2006
REVISED: August 4, 2008
REVISED: February 24, 2014
REFERENCE: BP 3-125, Electronic Communication Policy
APPROVED:
/ Nancy J. McCallin /
Nancy J. McCallin, Ph.D.
System President
In support of its mission, to provide an accessible, responsive learning environment that facilitates the achievement of educational, professional and personal goals by our students and other members of our communities in an atmosphere that embraces academic excellence, diversity and innovation, the Colorado Community College System (CCCS or System) provides access to computing and information resources for students, faculty, and staff within institutional priorities and financial capabilities. This procedure contains the governing philosophy for regulating faculty, student, and staff use of the System’s computing resources. It spells out the general principles regarding appropriate use of equipment, software, networks and data. In addition to this procedure, all members of the CCCS community are also bound by local, state, and federal laws relating to copyrights, security, and other statutes regarding electronic media.
The rules and conditions of this procedure apply to all users of all systems in all locations of the System. Willful violations of the following policies and procedures may result in disciplinary action, which may result in actions up to and including termination and necessary legal action.
In accordance with the Colorado Open Records Act (CORA) (CRS § 24-72-201 et seq.), it should be recognized that all public records are open for inspection by any person at reasonable times. The basic definition of “public records” in CORA is “all writings made, maintained, or kept by the state…” This includes information and email on state employees’ computers. The only public records that fall outside this policy are records identified in specific exceptions set forth in CORA, in other Colorado statutes, and in federal law, such as student educational records pursuant to the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA).
CCCS has the right to monitor any and all aspects of its computer and telecommunications systems including employee email, voice mail, and file structures on any CCCS system. CCCS’s right to monitor its computer system and telecommunications equipment includes, but is not limited to, monitoring sites users visit on the Internet, monitoring chat groups and newsgroups, reviewing material downloaded or uploaded by users, and reviewing email sent and received by users. The computer and telecommunication systems are provided to employees to assist them in meeting the requirements for the performance of their positions in CCCS. Employees should not have an expectation of privacy in anything that they create, send, or receive on CCCS systems. Since systems are provided for CCCS business, all transactions and all data on the systems are considered to be business-related and therefore owned by the CCCS. All systems owned by CCCS are to be used primarily for CCCS business purposes, including academic pursuits. Incidental and occasional personal use is permitted only to the extent that it does not result in a direct cost to CCCS or interfere with CCCS business. CCCS’s control of all information on CCCS computers does not implicate intellectual property rights. Intellectual property rights are governed by Federal statutes and by the State Board for Community Colleges and Occupational Education’s Board Policy 3-90.
Employees using CCCS systems should adhere to the following rules which apply to all computer and telecommunications resources including mainframe hosts, mid range hosts, micro computer hosts, file servers, desktops, notebooks, laptops, handheld devices, network infrastructure, phone systems, voice mail systems, Internet connectivity, bulletin board systems, email systems and other resources. Throughout the policy “IT” refers to CCCS-IT and/or the College IT department as appropriate.
This procedure will be updated from time to time at CCCS’s discretion. Changes to this procedure will be made periodically by CCCS:
All CCCS employees and associates have an obligation (and are required by law) to protect confidential information, which includes but is not limited to FERPA protected student educational records, financial aid information, and personally identifiable information. Any questions regarding what information is public and available for sharing should be referred to your supervisor who will then confer with CCCS Legal Department. The confidentiality obligation also pertains to any party accessing any communication system. Uploading or sharing of confidential data, files, documents, or information is prohibited on websites or by using programs that have not been specifically approved by CCCS.
Confidential information may only be stored on secure servers owned or provided by CCCS. Confidential information shall not be stored anywhere in the cloud, unless explicitly provided or supported by CCCS, on personal computers or laptops, or any portable electronic devices.
Anyone using a CCCS computer, application or communication system must have a unique User ID and Password. This includes user accounts for the Local Area Network, Servers, and task-specific software applications such as Banner and Desire2Learn. To maintain system security, users are not to login as another user. Generic logins will not be issued unless an application requires it with no work-around. Each System college shall have a provision that open access computers for libraries are off the production network and are monitored for use.
The network and various application systems require all users to change their passwords every sixty (60) days. Passwords must be at least eight (8) characters in length and contain at least three (3) of the following four (4) conditions: upper-case characters, lowercase characters, numeric character, or special character (such as a numeric or punctuation character). Easily guessed passwords, such as the name of a spouse or child, job title, address, etc., should not be used.
For protection of users and the confidentiality of data, users are prohibited from disclosing their passwords to others. Logins and passwords are not to be written down and/or displayed or kept in places such as desk drawers, keyboard trays, etc. If a user suspects that their password has been disclosed, they are required to change it immediately. User accounts are not transferable to temporary employees; if someone will be filling in for a user during an absence, a temporary account must be used for the interim employee. Security will be set up to make the user’s data accessible by the person filling in.
For protection of users and the confidentiality of data, users are required to logout, shut down their workstations, or activate a screen saver with password protection when leaving their computers unattended, even if leaving for only a few minutes.
Users are to completely log off and turn off their computers when leaving for the day. Users should always stay until their system shuts down according to the normal shutdown process. If the computer fails to shut down properly, the local computer support desk should be notified. Never turn off the power before the shutdown process is completed to avoid possible file corruption.
By default, all CCCS users are provided with Standard User Access to their individual computer workstations. This level of access grants the user the ability to utilize all IT (system and college) installed resources, while not allowing the user to install or maintain software, or make any modifications to the computer’s operating system.
Exceptions may be granted to CCCS users who require Administrator Access to their computer workstation to perform specific job related duties, which cannot be performed using any other means or workaround. These exceptions must be pre-approved in writing by the user’s supervisor and system Chief Technology Officer or college IT Director or designee as appropriate.
Use of Administrator Access should be consistent with an individual’s role or job responsibilities as prescribed by management. When an individual’s role or job responsibilities change, Administrator Access should be appropriately updated or removed. In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with the user’s supervisor and system Chief Technology Officer or college IT Director or designee.
The following constitute inappropriate use of Administrator Access to CCCS computing resources unless pre-approved in writing by the user’s supervisor and IT:
The following constitutes inappropriate use of Administrator Access to CCCS computing resources under any circumstances, regardless of whether there is supervisor or IT approval:
All users must comply with all software licenses, copyrights, and all other state and federal laws governing software licensing and intellectual property.
CCCS IT and college IT staff provides and installs software that has been determined is necessary for business purposes and can be installed or downloaded to CCCS equipment without damage to CCCS systems of interests (“Official Software”). CCCS is the owner or licensee of Official Software and is responsible for enforceable contract or license terms associated with ownership or licensure (enforceable terms do not include terms of adhesion or terms that are against public policy). Any software installed or downloaded on CCCS hardware by individual employees, whether used for business of personal reasons, is not Official Software and the contract or license terms are the responsibility of the employee who downloads or installs the software.
Any incidental and occasional use of CCCS electronic mail resources for personal purposes is subject to the provisions of BP 3-125 and this procedure.
Fraudulent, harassing, embarrassing, indecent, profane, obscene, intimidating, or other unlawful material may not be sent via email, viewed and downloaded, or passed by any other form of communication, including social media, or be displayed or stored. Exceptions may be made for various instructional purposes.
Creation and forwarding of non-business email including advertisements, chain mail, solicitations, promotions, political material, etc., are not allowed. Creation of officially recognized CCCS or college social media accounts must adhere to SP 3-125f.
Charitable or community-related Internet use or sending of emails may be disseminated only with prior approval of a college or System president, as appropriate.
Various procedures are in place to protect the CCCS information systems from virus/malware infection. Since removable media can introduce a variety of malicious software into the campus network, users should exercise caution in their use of these devices. Any time removable media is used to transfer files it should be scanned prior to file copy.
All system hard disks will be scanned for viruses/malware on a regular basis according to established standard procedures. Background scanning should always be enabled on client systems to check for viruses/malware. If a malicious program is found, a message will be displayed and the file with the virus/malware will be identified. If this happens, the user must call the computer support desk immediately and must not use the system until authorized IT personnel have diagnosed and eliminated the virus/malware.
Disabling or elimination of virus/malware programs by users is considered a violation of procedure.
CCCS-owned computer equipment and peripherals may not be removed from the premises, relocated, or loaned to others without prior written authorization from computer support desk or appropriately authorized individual. Some employees who travel frequently may be assigned a laptop or portable device by the employee’s manager. Computers or peripherals not owned by CCCS may be used on the CCCS premises only as a stand-alone device not connected to any CCCS computer, network or telecommunication system. Exceptions to this may be the connection of personal computers to public wireless, projection systems or other devices that are not part of the production network. This must be supervised by a CCCS employee. CCCS is not liable for any damages to personal systems used in this manner. Only authorized IT staff are allowed to install applications or configure these devices. Some employees may be allowed to connect either their own computers or CCCS owned computers to CCCS network from home or when traveling on college business, using a secure CCCS-assigned VPN or remote access application. However, computer support desk and IT personnel are not allowed to service any computer not owned by CCCS. All computer equipment assigned to employees must be returned intact upon termination of employment.
Smart phones and other mobile devices combine telecommunications capabilities with some data application extensions. Although iPads and tablets do not currently have telecommunications capabilities, they are considered mobile devices for the purposes of this procedure. Employees use these devices to check email, read documents, transmit pictures and perform other limited office communication tasks. CCCS has adopted the following policies with respect to these devices:
Remote system access including, virtual private network connections, Virtual system connections, account ID’s, and passwords are to be kept in strictest confidence. Users are not to give the connection ID, number, addressing or the passwords to anyone else. Employees who need remote access may request it from the computer support desk at their college. All requests for remote access must be authorized in writing by the employee’s appropriate supervisor.
College IT is responsible for performing nightly backups on network hosts and servers only for their college campus location. CCCS IT is responsible for the backup of Exchange Email data. Local PC hard drives will not be backed up in any way. For this reason, the use of local PC hard drives for file storage is greatly discouraged. All users are required to log out of the system completely at the end of every work day. If a user has not properly logged out of the network at the time of backup, active files cannot be backed up. Confidential information may only be stored on secure servers owned by CCCS, not in the cloud or any non-CCCS storage location, not on personal computers or laptops, or any mobile / portable electronic devices.
Local PC hard drives will be securely erased following state certified procedures when employment ends or the PC (Desktop PC, Laptop Computer, mobile device, etc.) is taken out of service. Any data on the local PC hard drive is subject to loss and will not be recovered. Any work related documentation would be forwarded to the appropriate individual(s) designated by the supervisor.
Physical security is the first layer of control to restrict access to the information systems. All employees have a responsibility for security within their offices, computers and telecommunications facilities.
All computers, peripheral devices (including mobile devices, printers, monitors, projectors, etc.) and telecommunication systems will be inventoried at a minimum of once a year in accordance with Fiscal Policies for Fixed Asset Tracking. If systems cannot be accounted for by the department, the department management and the responsible employee or employees will be held accountable. Computer systems or equipment should not be moved or exchanged between employees without the notification and support of College IT staff or System IT staff as appropriate.
All CCCS employees have a duty to report all information regarding security violations or misuse of hardware or software to either their supervisor and/or IT department immediately. Employees can also report security violations to the Employee Hotline.
Prohibited activities on CCCS computers and telecommunications systems include but are not limited to:
All those devices are electronic communication resources and fall under the definition of IT resources. A single policy and procedure was written for all IT resources in order to address related policy issues and to make it easier for users to be informed of policy requirements.
No, since you paid for your computer from your own funds, BP 3-125 does not apply. However, if you use your computer to connect to a CCCS IT resource, such as the data communications network, BP 3-125 and this procedure apply to any action you take via your computer on that resource.
Suppose you use the CCCS network to connect to a database belonging to another institution. Both the CCCS IT policy and any policies of the other institution apply to your actions. Depending on what you do while connected to that database, Federal or state laws could also be applicable. It’s very hard to find, read, and understand everything that may apply. If you adhere to high standards of ethical and responsible behavior you’re unlikely to commit a serious infraction of any of the policies, rules, or laws.
Yes. Grant funds received from a grantor are given to CCCS and items purchased with such funds belong to CCCS. Therefore, BP 3-125 and this procedure apply to any hardware or software purchased with grant funds.
Anyone who uses CCCS data communication network to access data at another institution is a user. Anyone who stores data files on a CCCS network is a user. Anyone who uses a computer in a CCCS college lab is a user. An employee (staff, faculty,adjunct or student) who uses their personal computer or mobile device to access CCCS systems and services is a user.
Yes. CCCS has the right to look at any user’s electronic accounts, files, or communications within the limits established by law. Employees need to understand that there is no absolute right to personal privacy when the employee is using the employer’s equipment, including IT resources. CCCS does not routinely monitor the content of files or communications, but may view contents whenever it deems necessary.
You should also be aware that the files you maintain on CCCS IT resources may be considered public records and CCCS may be required to make them available for inspection under CORA. CORA defines “public records” to include electronic mail messages which means that your email messages also may be subject to public inspection.
The current state of IT is such that there can be no absolute assurance of privacy or confidentiality of electronic data and systems. CCCS takes reasonable and prudent precautions to protect privacy, but users should understand there is always some risk that data can be accessed by unauthorized people.
CCCS IT administrators are charged with maintaining and operating the resources for the benefit of all members of CCCS. If someone’s data consumes so much storage that others are denied storage or if someone’s web page attracts so much network traffic that others are denied network access, the administrator of those resources has the right to remove the material. Whenever possible, users are given an opportunity to backup data to other media before it is removed.
CCCS IT administrators take reasonable and prudent steps to protect the integrity of data and systems stored on the resources they administer, but there is always some risk that files may be lost or damaged. Users are urged to make backup copies of their personal files that would be difficult or costly to replace.
CCCS faculty, staff and student may use computers as per SP 3-125c. However, only certified IT staff can service state owned computers, printers, projectors, mobile devices, etc. This includes installation of official software applications (i.e., Microsoft Word, Excel, Adobe PhotoShop, etc.). CCCS IT or college IT staff will not support computers, mobile devices, etc., that do not belong to CCCS.
Programs or executables generally require installation on the computer and generally require licensing. Content is the files that can be opened by an application. Examples: Microsoft PowerPoint is the “application” required to create, open and modify PowerPoint presentations. PowerPoint files that are created by the application are the “content.” Often textbook series include PowerPoint files. If PowerPoint is not installed on the machine, the computer cannot open the files. Test banks (“applications”) are what generate test questions. If you can save those questions, that file is the “content”.
Only IT staff are allowed to install updates, browsers and plug-ins. Some updates, plug-ins, etc., may be installed through a variety of methods that will not require user intervention. The update of plug-ins by the end users may cause issues with the applications that are required to be maintained at certain versions for proper functionality. IT will update these programs automatically once they have thoroughly tested the update for compatibility with enterprise applications.
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.