NUMBER:
3-1-1
APPROVED DATE:
10-22-2004
BASED ON POLICY NUMBER AND TITLE:
3-1-0 USE OF INFORMATION TECHNOLOGY RESOURCES
Purpose
This policy governs Trident Technical College (TTC) employee and authorized non-employee use of information technology (IT) to securely access, maintain, and transmit TTC data and access the internet in compliance with local, state, and federal laws.
Definitions
- Information Technology – college owned, licensed, or subscription-based computing and communication resources that manipulate, store and transport all data types and formats.
- User – Full and part-time TTC employees or any other authorized individuals using college owned, licensed, or subscription-based information technology.
Acceptable Use
Users are responsible for reviewing and complying with all policies and procedures related to acceptable use and security of IT resources. Access to mobile computing devices, computer systems, and networks owned or operated by the State of South Carolina imposes certain responsibilities and obligations on users and is subject to state government policies and local, state and federal laws. Acceptable use of information technology must be ethical, professional and responsible in the consumption of shared IT resources. Acceptable use demonstrates respect for intellectual property, privacy and ownership of information, system security and freedom from intimidation and harassment.
System Usage
- Information Systems Training -All users must complete online or in person software training through an appropriate resource before accessing enterprise information systems.
- Information Security Training - All full-time faculty and staff, part time staff, and authorized non-employees must complete information security awareness training upon initial hire, on a regular basis and appropriate to their job function. The Division of Education is responsible for providing pertinent information security awareness training to adjunct instructors.
- Unauthorized Software – Users may not make unauthorized copies of TTC owned and licensed software. Users may not install TTC owned software on their personal computing devices unless authorized by IT and the software vendor in a licensing agreement.
- Installation of Software – Users are not able to install software on TTC owned computers and network servers. Users must request that IT install software applications and plugins on TTC owned computing resources.
- Personal Use - Trident Technical College allows employees to make reasonable personal use of its electronic mail, internet access, messaging, and other computer and communications systems provided it does not interfere with business activities or IT resource availability. IT resources may not be used to support a personal business or similar personal ventures.
- Enterprise Security – Users must comply with and not attempt to circumvent or subvert system or network security controls.
User IDs and Passwords
- User IDs - Users are responsible for all activity performed with their personal user IDs. They must not permit others to perform any activity with their user IDs, and they must not perform any activity with IDs belonging to other users.
- Password and Access Code Sharing Prohibited – Users must not disclose or share their TTC network passwords, enterprise system passwords, voice mailbox PINs, and other access codes with other users or IT support, unless IT has approved an exception.
- Strong Passwords – Users must choose passwords that are difficult to guess and meet system password requirements. Users must not choose derivatives of user IDs, common character sequences, personal history details, a common name, or a word that reflects work activities. Users should create unique passwords for different sites, programs, and devices.
- Password Proximity to Access Devices - Users must never write down or otherwise record a readable password and store it near the computer or device to which it pertains.
- Typing Passwords When Others Are Watching - Workers must never type their passwords at a keyboard or a telephone keypad if others are watching their actions.
- Passwords in Communications Software - Users must not store passwords in Internet browsers at any time.
- Suspected Password Disclosure - Each user must immediately notify the IT Helpdesk and change his or her password if they suspect that it has been disclosed to an unauthorized party.
Electronic Messaging and Videoconferencing
TTC prohibits the following. Users must not:
- Forge or manipulate message author information.
- Distribute spam, computer viruses, malware, or other harmful software programs.
- Send messages or transmit audio/video containing inappropriate content deemed threatening, discriminatory, defamatory, obscene, or prohibited by local, state, and federal law.
- Send unencrypted, plain text e-mail and text messages containing protected, sensitive data (Social Security Numbers (SSNs), credit card numbers, Date of Birth (DOBs), student records, tax information) to external recipients.
- Users must encrypt sensitive data in message file attachments or securely upload sensitive data to external websites and portals.
- Request that TTC students and the public email or text sensitive data via unencrypted plain text messages to TTC accounts.
- Send internal email messages containing sensitive employee or student data. Users must redact or mask sensitive data.
- Click on links or file attachments in messages that are in any way suspect and potentially malicious without verifying message authenticity. Users should forward suspicious messages to the IT Helpdesk.
Privacy
- TTC reserves the right to monitor the content of messages sent from TTC email and messaging systems provided a legitimate, business-related reason exists. The College owns all email and messaging data associated with TTC communication systems.
- TTC also reserves the right to disclose e-mail, voice mail, and other messaging content to outside parties, regulators, law enforcement, and courts of law in connection with disputes, grievances or litigation, or if the President determines such disclosure is in the best interest of the college. Accordingly, you should always ensure that e-mail and messaging is courteous and professional.
- TTC will delete all work email content from a mobile computing device connected to TTC’s email server if the device is lost or stolen. Please refer to 3-1-2 Wireless Communication Devices Eligibility and Usage procedure.
Voice Mail
Sensitive Information - Users must not record or leave recorded messages containing sensitive information on voice mail systems.
Network and Internet Access
- Activity Monitoring – Users must be aware that their network and internet activity, while using TTC systems or personally owned devices connected to TTC’s network, may be monitored for business-related or security purposes.
- Compliance Audit – TTC reserves the right to audit all devices on TTC networks, including personally owned devices, to ensure that each device complies with TTC policies and procedures.
- Connecting Devices -- Devices requiring connection to the TTC network, including personally owned devices must be approved and installed by IT.
- Device Quarantine – TTC reserves the right to quarantine, remove, or deny any device on TTC networks, including personally owned devices that do not comply with TTC policies and procedures or disrupts network communications. IT will then take steps to correct, validate, or approve all deviations on the device to enable connection to TTC networks.
- Current Virus Software- Users must maintain current antivirus software on all personal computing devices that access TTC’s network.
- Unattended Active Sessions - Users must not leave their work computer without locking the desktop or logging out for security purposes.
- Session Timeoutt – Computer desktops and other TTC devices must auto lock after a set period of inactivity.
- Computer Viruses
- Any user who suspects infection by a virus or malicious software (malware) must immediately contact the IT Helpdesk, and not attempt to eradicate the virus without assistance from IT.
- Users must not intentionally write, generate, compile, copy, collect, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of TTC’s computers or network.
- Use at Your Own Risk - Users access the Internet through the TTC network at their own risk. TTC is not responsible for material viewed, downloaded, or received through the Internet.
- Appropriate Use – Users may not access networks for illegal or unlawful, or immoral purposes or to support or assist such purposes; for example, the transmission of violent, threatening, defrauding, obscene or otherwise illegal or unlawful materials.
Data Storage
- Users must store TTC work files on the following resources:
- Personal Home Directory (H: drive)
- Departmental network drive
- OneDrive-Trident Technical College and Teams (Microsoft secure Cloud storage)
- tridenttech.edu portal
- TTC Learning Management Systems (LMS)
- Users should not store critical TTC work files on their local hard drive (C: drive). IT does not back up individual computer (laptop/desktop) hard drives.
- Users must not store personal, non-work files (documents/images/audio/video) on the following resources:
- Personal Home Directory (H: drive)
- Departmental network drive
- OneDrive-Trident Technical College and Teams (Microsoft secure Cloud storage)
- tridenttech.edu portal
- Users must not store TTC work files on any other third-party Cloud/Internet storage provider unless explicitly approved by the College.
- Users are responsible for copying work files from TTC laptops or tablet PCs to the approved network storage resources referenced above on a regular basis.
- Protected, sensitive TTC work data (SSNs, DOBs, credit card numbers, official student records, tax documents, health records) may only be stored on the following resources:
- TTC’s Enterprise Information System (e.g., student information system)
- High security departmental network drives
- OneDrive-Trident Technical College (Microsoft secure Cloud storage)
- Users must not store protected, sensitive data on mobile computing devices (phones, laptops, tablet PCs), or mobile storage (USB drives).
- Users must not store protected, sensitive data on any other secure Cloud storage provider unless explicitly approved by the College.
Physical Security
- Sensitive Information – Users must lock all hard copy sensitive information in file cabinets, desks, safes, or other securable furniture when not in use.
- Screen Protection – Users that work with sensitive data in high traffic office areas must use screen guards to block or reduce the visibility of monitor displays. Any shared computing devices in public areas that display sensitive data must have screen guards.
- Securing Equipment – Users must secure TTC mobile computing devices (laptops/tablet PCs) in a locked office area or other remote work locked storage area when not physically using the device.
- Computing Equipment - A user must promptly inform their supervisor and the IT Helpdesk, if a TTC computing device has been damaged, lost, stolen or is otherwise unavailable for work activities.
- Use of Personal Equipment - Users must not bring their own computers, computer peripherals, network devices, or computer software into TTC facilities without prior authorization from their supervisor and IT.
- Computing Equipment Checkout – TTC computing devices must not leave TTC unless properly authorized and secured.
- International Travel with College Owned Devices - Travel outside of the United States poses cybersecurity risks for travelers. Employees may not take college owned computing and communication devices on personal foreign travel outside of the United States. Employees must receive approval from IT to take college owned computing and communication devices on college approved foreign travel outside of the United States.
Security Incident Reporting
Users must report any suspected events that may compromise information security or violate an existing information security policy to their supervisor, the IT Helpdesk, and the Information Security Officer. Examples of these events include:
- Any unauthorized use of TTC information systems.
- Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.
- All unusual systems behavior, such as missing files, frequent system crashes, and misrouted messages.
- Suspected or actual disclosure of sensitive TTC information to unauthorized third parties. Please refer to TTC’s 3-1-4 information security data breach response plan.
- Lost or stolen TTC computing devices.
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Computing privileges may be lost, and violators will be subject to the judicial procedures of the College. This agreement does not preclude enforcement under laws and regulations of the State of South Carolina and the United States of America. TTC reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. TTC does not consider conduct in violation of this policy to be within an employee’s course and scope of employment, or the direct consequence of the discharge of the employee’s duties. Accordingly, to the extent permitted by law, TTC reserves the right not to defend or pay any damages awarded against employees that result from violation of this policy. Any employee, who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her supervisor or the Human Resources Department as soon as possible.
Updated: 07-15-2009
Updated: 02-06-2015
Updated: 09-23-2016
Updated: 03-08-2021
Updated: 04-30-2024