Policy 1090
The Information Security Policy is intended to protect the three domains of information.
- The first one involves protecting the confidentiality of data; with the intention to keep the data out of the hands of those who should not have it, ensuring privacy.
- The second domain revolves around protecting the integrity of that data. It is important that what we enter is accurate and remains accurate throughout its lifespan. In essence, we are ensuring the data's quality.
- The final domain revolves around availability; here we strive to make sure the data is always available when it is needed.
Therefore, the policy of Schoolcraft College is to provide accurate information only to those who are authorized to have it, when they need it.
Purpose
The College is committed to protecting information assets and the information resources that support our organization. The College collects, transmits, stores, and processes a large volume of data in its mission to educate students. Regulatory compliance laws and the procedural documents support our Information Security Policy.
The Information Security Procedure -1090.1 contains a collection of controls and security measures that are intended to protect our information assets. Procedure 1090.1 is maintained by Information Security and requires Cabinet approval for changes. The Board of Trustees will review the changes at the next regular Board meeting. Without these protections in place, our assets and system would be subject to possible damage, exposure, and theft.
Scope
This policy covers all information assets owned or leased by Schoolcraft College, regardless of their location.
Information Assets
Information assets are defined as any electronic device owned by Schoolcraft College that has the capability to electronically store, process, or transmit information. This includes, but is not limited to computers, laptops, servers, SANS (Storage Area Networks), Storage, Backup and Archive tablets, smartphones, network communication devices, and internet access. It also includes the data that is contained within these systems, such as imaged documents, student information, employee information, and budgetary information.
Information includes data stored on removable or portable media, data stored in computer memory, Cloud based storage, and Schoolcraft College intellectual property stored on personal devices.
This policy enforces all regulations for which Schoolcraft College is subject to enforcing and includes but not limited to Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and European Union General Data Protection Regulation (EU GDPR).
All Schoolcraft personnel and students shall abide by and adhere to the procedural documents related to this policy, which include:
- Acceptable Use Compliance Requirement (AUCR)
- Data Classification Compliance Requirement
- Risk Assessment Compliance Requirement - Purchasing Card Industry Compliancy (PCI) Compliance Requirement
- Authentication and Authorization Compliance Requirement
- VPN & Remote Access Compliance Requirement
- Monitoring & Enforcement Compliance Requirement
- Wireless Security Compliance Requirement
- Network Device & Configuration Compliance Requirement
- Server Security Compliance Requirement
- Workstation Security Compliance Requirement
- Web Application Compliance Requirement
- Encryption Compliance Requirement
- Technology Equipment Disposal Compliance Requirement
Violation of this policy is outlined in the procedural documentation and can result in disciplinary actions, including but not limited to: formal policy recertification up to and including termination of employment/service or student expulsion.
Any action which violates the law will be reported to the appropriate law enforcement authority.
INFORMATION SECURITY PROCEDURES - Procedure 1090.1
Compliance Requirements
Acceptable Use Compliance Requirement (AUCR)
Introduction
Schoolcraft College’s Acceptable Use of Information Technology Resources Compliance Requirement (AUCR) provides for access to information technology (IT) resources that are intended to carry out the legitimate operational functions of the College. Use of these resources is not intended for non-college related purposes. In addition, Schoolcraft College is committed to protecting itself, students, and employees from inappropriate, illegal, or damaging actions by individuals using these systems
Purpose
This Compliance Requirement is to define the acceptable use of college information, and the systems which process this information, and the network at Schoolcraft College. These rules are in place ensuring that members of the Schoolcraft College have access to reliable systems that safely guard confidential information.
The rules will also guide students and employees to use good practices to protect the College. An individual’s unsecure practices and malicious acts can expose Schoolcraft College, students, and employees to risks that can compromise their system or the network resulting in the loss of data, loss of confidential information, or loss of services. Security breaches could affect students, employees, and damage the College’s reputation. Legal action for individuals or the College may result from a data breach.
Scope
The AUCR applies to anyone who uses the College’s information technology (IT) systems, network or information including, but not limited to students, employees, College Board members, contractors, conference guests, third party vendors, or any individuals or entities who use these systems at Schoolcraft College.
This Compliance Requirement applies to all IT resources owned or used by Schoolcraft College including, but limited to computer equipment, software, operating systems, network, and the Internet access. It also includes any media that is used to transport information.
Securing and protecting these resources are the responsibility of everyone who uses them; security is only as strong as its weakest link. There is a significant cost associated with the protection of information assets and the integrity of systems use on a global scale; everyone is expected to participate in securing our organization.
Procedure
Unless otherwise specified in this procedure or other college policies, use of college information technology resources is restricted to purposes related to the College’s mission. Eligible individuals are provided access in order to support their studies, instruction, duties as employees, or business with the College. Unless specifically identified as an authorized user to the system, access to IT systems is forbidden.
Departments may develop complementary use policies and procedures, as long as they are consistent with this Compliance Requirement and any other applicable technology use policies of the College.
Incidental personal use of IT systems must adhere to all applicable college policies.
Unacceptable Use
- Users are prohibited from engaging in any activity that is illegal under local, state, federal, and international law or in violation of college Policy and or Compliance Requirement. The items listed below are by no means the only areas of restriction; items listed are only an attempt to provide a framework for activities that fall into the category of unacceptable use.
- While respecting users’ confidentiality and privacy, the College reserves the right to access and examine all computer files, email content and history, internet access history, network access and usage.
- Use of unauthorized devices where public network connections are not available is prohibited.
- Priority for the use of IT resources is given to activities related to the College’s missions of education, and conferencing facilities.
Unacceptable Activities
Participation or assisting in any form of security breaches or malicious use of network communication including, but not limited to:
- Procurement of configuration information about the network or system on the network for which the user does not have the responsibility to maintain.
- Participation or assisting in activities intended to hide the user's identity, to purposefully increase network traffic, or other activities that purposefully endanger or create nuisance traffic for the network or systems attached to the network.
- Circumventing any authentication mechanism, including electronic or physical barriers to access data, accounts, or systems that the user is not expressly authorized to access.
- Implementation of a Denial Of Service (DOS) for any Information Technology system, or its users on the College’s network. This includes using college facilities or networks to interfere with or deny service to persons outside the College.
Unauthorized Use of Intellectual Property
- Use of college IT systems or networks to violate the ethical and legal rights of any person or company protected by copyright, patent, intellectual property rights, or similar laws or regulations is prohibited.
- Participation or assisting with the unauthorized use, duplication, distribution, or publication of copyrighted material, unless it meets the requirements of the fair use doctrine. This includes but is not limited to, use of copyrighted images, music, video, or programing code.
- Unauthorized use of any licensed trademarks of Schoolcraft College or any other organization.
- Theft of, or unauthorized removal of Schoolcraft College intellectual or physical property in any format is prohibited. This includes but is not limited to information, equipment, or documents.
- Using any IT Systems or network resources to engage in academic dishonesty, plagiarizing, altering, or tampering with the work of others is prohibited.
Misuse of Electronic Communications
Email and other electronic communications are required to carrying out the activities of the College, its employees, and students. Electronic communications include but are not limited to email, social media, texting, instant messaging or any other form of communication transmitted over the network or Internet.
- Both employees and students are reminded that, legally, email is treated like any other form of written communication. Messages are subject to the same legal restrictions and potential liabilities as those of paper documents. This could include the Patriot Act and other state and federal laws. Email messages may be subpoenaed and are subject to the Freedom of Information Act (FOIA) or discovery requests.
- Use of the email systems for personal gain, conducting of private business, or furthermost of political agendas is prohibited.
- Sending unsolicited messages, including "junk mail" or other advertising material to individuals who did not specifically request such material, except as approved under the email usage Compliance Requirement is prohibited.
- Harassment of any person or organization by means of electronic communications whether through content or frequency of the messages is prohibited.
- Use of one’s electronic address (email addresses); electronic signature or electronic identity with the intent to send or receive unauthorized information or unauthorized response is prohibited.
- Use of anyone’s electronic address (email addresses); electronic signature or electronic identity that the user is not explicitly authorized to use, is prohibited for any reason. (This includes use by former employees, retirees (including those with Emeritus or Honoree status), students, faculty, individuals, etc. – any person whose active relationship with the College has ended or been terminated at the sole discretion of Schoolcraft College.)
Inappropriate or Vindictive Use of IT Systems or Internet
This is the use of any IT systems for an intent other than to conduct normal business operations, or in the course of student learning as part of the normal curriculum. The following actions are prohibited.
- IT systems or network must not be used for the harassment of persons or organizations, encouragement of workplace hostility, or other illegal activity. This applies to systems used either on or off the campus for any reason.
- Intentionally sending or receiving material of a profane, pornographic, hate or threatening nature.
- Setting up any form of peer-sharing system in which information may be shared without the College’s knowledge including protected information or other intellectual property that can be illegally shared.
- Sabotage, misuse, or abuse of IT systems, including intentionally introducing malicious programs into the IT systems or network (e.g., viruses, worms, Trojan horses, adware/malware, etc.).
- Any attempt to access, information or systems that one is not authorized to access is prohibited including the sharing of authorized information, account privileges and system access with anyone or any organization that is not authorized to have this information.
- Any attempt to adversely modify, alter or subvert any security or operating configurations of any IT systems or network resource by authorized or unauthorized parties is prohibited.
- Any inappropriate use or sharing of authorized IT privileges or resources.