8.500 Information Technology Acceptable Use Policy

interior impact

Policy Number: 8.500

Policy Name: Information Technology Acceptable Use

Original Adoption: September 22, 1999

Revised: August 2016; November 2023;

Next Scheduled Review: September 2025

Responsible Cabinet Member: Vice President for Information Technology

Department/Office: Computer Services


BACKGROUND/HISTORY

The purpose of this policy is to establish parameters of acceptability for use and security of the National Park College (NPC) computing facilities and resources by faculty, staff, students and other NPC network users.

SCOPE

Computing resources of National Park College are available only to authorized users, and any use of those resources is subject to these standards. These standards do not supersede or replace existing College policies, which will be applied as the situation warrants. All users of the College’s computing resources are presumed to have read and understood the following standards.

AUTHORITY

House Bill 1369, Act 504; Digital Millennium Copyright Act (P.L. 105-304) (DMCA); Gramm-Leach-Bliley Act (GLBA); Payment Card Industry Data Security Standard (PCI DSS); Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) (15 U.S.C §§ 7701-7713); Higher Education Opportunity Act of 2008 (HEOA); Family Educational Rights and Privacy Act (FERPA); Health Insurance Portability and Accountability Act (HIPPA)

DEFINITIONS

College – NPC and its remote locations. These include, but are not limited to, the Adult Education location on Grand Ave., the Adult Education Garland County Detention Center classrooms, other Adult Education remote locations, and the Computer Service’s department’s disaster recovery data center location.

Users – All individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel, and other individuals authorized by NPC to access an NPC computer, NPC network(s), or NPC technology resources that collect, process, maintain, use, share, disseminate or dispose of NPC data.

Personally Identifiable Information (PII) – Any information about an individual that (i) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (ii) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual; and (iii) is protected by federal, state or local laws and regulations or industry standards.

Third Party File Storage Service – Applications and methods that host data for individuals and/or organizations, either free or paid. These include, but are not limited to Google Drive, Dropbox, Evernote, Apple iCloud, IDrive, Amazon Web Services (AWS), etc.

Computing Resources or Technology Resources– Includes, but is not limited to, any machines, devices, transmission facilities, and infrastructure related to information processing and/or telecommunications, as well as software, digital services, data in any form, user accounts, electronic mail accounts, etc., either provided, or owned, by NPC.

Information Technology Department or IT Department – Computer services.

Passphrase - A passphrase consists of a sequence of words or other text used to authenticate a user’s identity. A passphrase is similar to a password in usage but is generally longer for added security (Example: Saffron7-Murkiness-Campfire-Outfield-Shawl).

POLICY STATEMENT

A. General Responsibilities

The College’s information technology acceptable use and security standards require that each user (anyone using these resources):

  1. Accept responsibility for learning how to use information technology effectively and responsibly. The College provides training on the use of information technology. All users are encouraged to learn the proper use of information technology through individual learning or by attending training sessions or classes. Each user is responsible for checking computer software and data files he/she introduces to any computer on the college network for computer viruses. Each user accepts responsibility for backup and security of his or her own work. Each user should learn how to make backup copies of important work and learn and properly use software features for securing or sharing access to their information.
  2. Use resources efficiently. Accept limitations or restrictions on computing resources, such as storage space, security restrictions, time limits or amount of resources consumed, when so instructed by the College. Each e-mail user is responsible for managing his or her message storage. Such restrictions are designed to ensure fair access for all users.
  3. Maintain a complex and unique password or passphrase, known only to the individual user. Users should not re-use passwords or passphrases, nor should they use their default password beyond initial login.
  4. Distributing or making your password or another person's password or access code available to unauthorized persons (users, third parties, family, friends, etc.) or otherwise attempting to evade, disable or "crack" passwords or other security provisions, or assisting others in doing so threatens the work, privacy and well-being of others and is prohibited.
  5. Use Multi-Factor Authentication (MFA) when required, and only use MFA applications verified by the Information Technology (IT) department to authenticate with College resources.
  6. Must not store restricted organizational, non-public, personally identifiable information (PII), private, sensitive, or confidential information on a device not issued by the College (external drives, internal drives, USB drives, iPads, mobile phones, etc.), or with a third-party file storage service that has not been approved for such storage by the IT department. Devices that are not issued by the College are prohibited from being used with any of NPC’s technology resources that have access to PII. To comply with state guidelines, all College-issued storage devices are to be sent to the IT department for proper disposal once the devices have reached end of life.
  7. Respect the rights of others to have freedom from harassment or intimidation. Sending abusive or unwanted material is a violation of college policies, may violate the law, and is prohibited. Targeting another person, group or organization to cause distress, embarrassment, injury, unwanted attention, or other substantial discomfort is harassment and is prohibited. Personal attacks or other actions to threaten, intimidate or embarrass an individual, group or organization are prohibited. NPC will be the arbiter of what constitutes proper conduct, consistent with college policies.
  8. Recognize the College's right to access, review, and monitor the use of computing resources, including, but not limited to, equipment and usage, as well as the data that is stored or transmitted.
  9. Observe proper online etiquette. Online networks shall be used only as permitted by the College, only in accordance with applicable College policies, and only for lawful purposes. Any conduct that in the College's discretion restricts or inhibits others from using an online network or violates College policies or applicable law is not permitted. Users are prohibited from posting on or transmitting through any on-line network any unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially or ethnically demeaning or threatening or otherwise objectionable material of any kind, including without limitation, any material which encourages conduct that would constitute a criminal offense, give rise to civil liability or otherwise violate any applicable law or college policies. Use of any on-line network to send unsolicited advertising, promotional material or other forms of solicitation to others is prohibited, except as permitted by law and when not prohibited by College policies. Downloading, uploading, streaming, posting, and/or manipulation of, or the creation, sending, or forwarding of messages or other content which act on behalf of people or organizations not part of the mission of NPC (such as religious groups, lobbyists, fraternal, political, private, non-profit, or athletic organizations, etc.) is prohibited. The College reserves the right to restrict and/or interrupt communications through or by use of any College computers or information technology services, which the College believes to be harmful to the College or to others.
  10. College information technology resources may be used for lawful and permitted purposes only. Non-compliance with any of the provisions of these standards may subject the user to sanctions and/or criminal prosecution, as well as personal liability in a civil suit.
  11. Take responsibility for the equipment they borrow or take off-site. This equipment belongs to the College and must be immediately returned upon request or at the time a user is separated from the college. Users may be financially responsible for the value of equipment assigned to their care if it is not returned to the College. Should IT equipment be lost, stolen, or destroyed, users are required to provide a written report of the circumstances surrounding the incident. Users may be subject to disciplinary action which may include repayment of the replacement value equipment. The College has the discretion not to issue or re-issue IT devices and equipment to users who repeatedly lose or damage IT equipment.

B. Prohibited Conduct

  1. Unauthorized attempts to monitor another user's password-protected data or electronic communication, or delete another user's password-protected data, electronic communications, or software, without that person's permission.
  2. Installing or running on any system a program that is intended to or is likely to result in eventual damage to a file or computer system.
  3. Performing acts that would unfairly monopolize computing resources to the exclusion of other users.
  4. Use of National Park College computing resources for commercial or political purposes, unless within the scope of the employee’s duties.
  5. Use of software, graphics, photographs, or any other tangible form of expression that would violate or infringe any copyright or similar legally recognized protection of intellectual property rights.
  6. Activities that would constitute a violation of any policy of NPC’s Board of Trustees, including (but not limited to) the College’s non-discrimination policy and its policy against sexual harassment and sex discrimination.
  7. Intentionally transmitting, storing, or receiving data, or otherwise using computing resources in a manner that would constitute a violation of local, state or federal law, including (but not limited to) obscenity, defamation, threats, harassment, and theft.
  8. Attempting to intentionally bypass, nullify, and/or override security and system integrity procedures.
  9. Attempting to gain unauthorized access to a remote (non-NPC) network or remote computer system.
  10. Exploiting any computing resources system by attempting to prevent or circumvent access, or using unauthorized data protection schemes.
  11. Performing any act that would disrupt normal operations of computers, workstations, peripherals, or networks.
  12. Using computing resources in such a way as to wrongfully hide the identity of the user or pose as another person.
  13. Installing any software on College computers without proper software licenses. Always abide by the terms of all software license agreements. Unauthorized copying of software is illegal and expressly prohibited.
  14. Storing restricted organizational, non-public, personal identifiable information (PII), private, sensitive, or confidential information on a device not issued by National Park College (external drives, internal drives, USB drives, iPads, mobile phones, laptops, etc.), or with an unapproved third-party file storage service. Devices not issued by NPC are prohibited from being used with any of NPC’s technology resources that have access to PII.
  15. Improperly disposing of College-issued storage devices (external drives, internal drives, USB drives, iPads, mobile phones, etc.). Always turn in the devices to the IT department for proper disposal.
  16. Use of computing resources for the purposes of mining cryptocurrency, accessing any aspect of the Dark Web, or utilizing peer-to-peer (P2P) services, unless approved by the IT department.
  17. Any use of computing resources that violates any standards and/or guidelines set by the Arkansas Cyber Security Office or any technology resource policy created by the Arkansas Department of Education.

C. Compliance

Those who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Employee violations will be referred to Board policy 4.520. Student violations will be referred to Board policy 6.310. Other users, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to computing resources, and other actions, as well as both civil and criminal penalties.

RESPONSIBILITIES

All users of NPC’s computing resources are responsible for reading and understanding this policy.