Feedback

7-1: New Acceptable Use of Information Technology Resources

Policy Overview


This policy outlines the acceptable use of Santa Fe Community College (SFCC or College) information technology (IT) resources to ensure that students, employees, and other SFCC community members have access to a reliable, robust, and secure environment.

Scope and Applicability


This policy refers to all SFCC IT resources including, but not limited to hardware, software, mobile devices, data, data networks, and stored data; SFCC’s cloud services; remote and on-campus access, wired and wi-fi connections, and SFCC data stored on privately owned devices. This policy applies to all students, employees, guests, volunteers, contractors, vendors, consultants, and anyone authorized to use SFCC’s IT resources.

Policy Statement


SFCC provides IT resources for the direct and indirect support of the College’s educational and business purposes. The use of these resources is a privilege. Users are expected to behave in a responsible, ethical, and legal manner. Acceptable use is behavior that respects the rights of others; does not compromise the availability, security, and integrity of IT resources; and complies with applicable laws and policies. All IT resources are the property of SFCC.

Definitions


  1. Acceptable Use is behavior that respects the rights of others, does not compromise the availability, security, or integrity of technology resources, and complies with applicable laws and policies.
  2. Confidential Information is any data, in electronic or physical copy, to which the compromise with respect to confidentiality, integrity, and availability would have adverse effects on College interests. Examples include educational records as defined by FERPA (Family Educational Rights and Privacy Act), Gramm–Leach–Bliley Act Covered Information, Payment Card Industry Data Security Standard (PCI-DSS) Information, or any other data which the College has deemed requires protective measures.
  3. Employee is any member of the college workforce: all staff (regular full-time, regular part-time, term, temporary, probationary, sensitive position); all student employees; all faculty (full-time, part-time, adjunct, probationary); all administrators, including interim; all contract employees.
  4. Gramm–Leach–Bliley Act Covered Information is any non-public personal information or personally identifiable financial information about students, employees, visitors, volunteers, or others handled or maintained by SFCC in electronic or paper form.
  5. Information Technology Resources refers to all contracted or owned SFCC technology facilities, services, subscriptions, hardware, software, data storage, accounts, networks, bandwidth, and all content and data (information) that comprise such technology.
  6. User is any person including, but not limited to students, employees, guests, volunteers, contractors, consultants, and vendors who interact with SFCC’s technology resources and services.

Policy Process


  1. Use of SFCC’s IT resources constitutes acknowledgment and acceptance of compliance with applicable state and federal laws, this policy, and all other SFCC policies.
  2. All users of SFCC IT resources are required to:
    1. Use IT resources for their intended academic and business-related purposes.
    2. Be responsible for equipment, accounts, and IT resources assigned to them and all activities completed under the equipment, accounts, and IT resources.
    3. Safeguard any physical key, access card, ID card, computer account, network account, password, and security code that allows one to access IT resources.
    4. Be respectful in the use of shared IT resources (SFCC Policy 2-1 Student Code of Conduct, SFCC Policy 4-1 Workplace Ethics and Code of Conduct).
    5. Protect information and IT resources by following procedures, standards and controls established by the Office of Information Technology.
    6. Complete all assigned IT and cybersecurity-related training.
    7. Immediately report data theft, loss, or unauthorized access of IT resources to the Chief Information Officer.
    8. Ensure that assigned equipment has current patches installed and that the anti-virus and anti-malware software is up to date and report issues to OIT.
    9. Properly secure personal tablets, laptops, and phones that connect to College IT Resources.
  3. Unacceptable use of IT resources may include, but is not limited to:
    1. Intentionally or negligently disrupting IT resources or obstructing the work of others.
    2. Sharing login, access to IT resources, usernames, passwords, or authentication methods with anyone else.
    3. Attempting to gain access to passwords or IT resources for which one is not authorized.
    4. Releasing confidential information without proper authorization.
    5. Using IT resources for personal commercial gain or political campaigning.
    6. Engaging in any harmful activity to IT resources, such as propagating viruses or spam, damaging files, or making unauthorized modifications to data or systems.
    7. Monitoring or scanning the network traffic or usage of others unless specifically allowed through policy or with permission from the Chief Information Officer.
    8. Violating intellectual property rights, including federal copyright, trademark, patent, trade secret, or software licensing agreements (SFCC Policy 3-16 Intellectual Property and Copyright).
    9. Sending spam or unauthorized bulk communications.
    10. Running unauthorized servers, websites, or network services.
    11. Connecting unauthorized devices to SFCC’s wired network, including personal routers, IOT devices, personal laptops, tablets, or phones.
    12. Attempting to circumvent or subvert security systems.
    13. Attempting to hide or obscure one’s identity or impersonating another user.
    14. Viewing, displaying, downloading, printing, procuring, or transmitting any material that would violate SFCC policies, rules or procedures or the law, including but not limited to those relating to sexual violence, sexual harassment, fraud, hostile workplace, obscenity, libel, defamation, hate or violent misconduct (SFCC Policy 2-1 Student Code of Conduct, SFCC Policy 2-22 Student Sexual Harassment, SFCC Policy 2-23 Student Discrimination and Harassment, SFCC Policy 2-28 Student Sexual Violence, SFCC Policy 4-1 Workplace Ethics and Code of Conduct, SFCC Policy 4-4 Fraud, Waste, and Abuse, SFCC Policy 4-9 Discrimination and Harassment, SFCC Policy 4-10 Sexual Harassment, SFCC Policy 4-50 Sexual Violence, Sexual Misconduct, Relationship Violence, Domestic Violence, and Stalking).
  4. Incidental Personal Use
    1. The College allows incidental personal use of IT resources. However, users are strongly encouraged to carry out personal internet and email activities through personal equipment, accounts, and internet providers.
    2. Incidental personal use must not:
      1. Interfere with fulfilling academic or job responsibilities,
      2. Incur any cost to the College,
      3. Consume significant time or IT resources,
      4. Interfere with other users’ access to IT resources,
      5. Be excessive as determined by the College, or
      6. Otherwise violate any federal, state or local laws or College policies.
    3. SFCC cannot guarantee the privacy, security, or availability of incidental personal use.
  5. Privacy and Monitoring
    1. While SFCC does not routinely monitor user activity or examine files for violations of this policy, SFCC reserves the right to monitor and examine any traffic, data, or log.
    2. By accessing College IT resources users understand and acknowledge that IT resources are the property of the College and that they have no right or expectation of privacy from authorized College employees.
    3. Office of Information Technology employees and other individuals authorized by the Chief Information Officer are the only individuals allowed to utilize monitoring and logging tools and to examine traffic, data, and logs on IT resources.
  6. Rights and Responsibilities of SFCC
    1. The College is subject to audits, both internal and external, for compliance with applicable best practices, regulations, and applicable laws.
    2. The College reserves the right to initiate a system, service, or network forensic investigation at the direction of the Chief Information Officer, Office of Human Resources, or the Office of the Vice President for Academic and Student Affairs.
    3. The College makes no warranties of any kind with respect to IT resources and will not be held responsible for damages resulting from use or misuse of College IT resources.
    4. The College attempts to ensure the privacy and security of its IT resources, but makes no guarantees of privacy or security.
    5. The College may take any reasonable action to protect IT resources, College property and users. These actions may include but are not limited to:
      1. Disconnecting a device or connected user.
      2. Blocking or limiting traffic.
      3. Revoking access to IT resources.
      4. Logging, monitoring, copying, or disclosing information from IT resources.
    6. Whether created or stored on SFCC systems, College data may constitute a public record subject to disclosure under the New Mexico Inspection of Public Records Act, other laws, or as a result of litigation. SFCC evaluates all such requests against the precise provisions of the Inspection of Public Records Act, other laws concerning disclosure and privacy, or other applicable law. Destruction of such records is governed by SFCC’s records retention policies (New Mexico Records Retention Act, SFCC Policy 7-3 Information Security).
  7. User Risk and Violations
    1. Users may be held liable for data breaches, damage to IT resources, theft of IT resources, or loss of data that occur due to user negligence.
    2. Any user who is suspected of engaging in conduct prohibited by this policy may face disciplinary action up to and including removal of privileges, suspension, expulsion, termination, or removal from campus (SFCC Policy 2-2 Student Corrective Action and Disciplinary Action, SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action).

Statement of Accountability and Responsibility


The President, through the Chief Information Officer and the Office of Information Technology, shall be responsible for enforcing technology-related policies and procedures. The Office of Information Technology shall work with the different departments and offices to comply with this policy and to develop procedures that will enforce this policy regarding awareness, prevention, and remediation.

Authority

H.R.4137, the Higher Education Opportunity Act
7 U.S. Code § 512 Digital Millennium Copyright Act
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
Gramm–Leach–Bliley Act Covered Information Safeguards Rule, 16 CFR Part 314
U.S Copyright Act, 17-U.S.C §§ 101-810
New Mexico Records Retention Act
SFCC Policy 2-1 Student Code of Conduct
SFCC Policy 2-2 Student Corrective Action and Disciplinary Action
SFCC Policy 2-22 Student Sexual Harassment Policy
2-23: Student Discrimination and Harassment Policy
SFCC Policy 3-16 Intellectual Property and Copyright
4-1: Workplace Ethics and Code of Conduct Policy
SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action
SFCC Policy 4-4 Fraud, Waste, and Abuse
SFCC Policy 4-9 Discrimination and Harassment
4-10: Sexual Harassment – Policy
SFCC Policy 7-2 Technology Equipment Renewal and Replacement
SFCC Policy 7-3 Electronic Mail
SFCC Policy 8-3 Inspection of Public Records
SFCC Policy 8-6 Public Information/Notices and News Media Contacts

APPROVAL

SFCC Governing Board approved: 6/22/2022