Acceptable Use-Personal Device
Policy:
Purpose, Scope, and Responsibilities
In general, it is strongly recommended that employees use equipment owned and managed by Clarkson College to perform college-related work. The exception would be for adjunct faculty and casual employees who are not provided a college-issued device.
Personally owned computing devices are increasingly being used to access College technology resources and/or store College data. A security breach when using a personal device could result in loss or compromise of College data, damage and/or unauthorized access to College technology resources, and/or financial harm to the College.
The purpose of this standard is to establish minimum security requirements and expectations for personally owned devices that connect to College technology resources and/or access College data. This standard does not apply to College-owned devices.
Individuals who elect to utilize a personal device, including but not limited to smartphones, tablets, laptops, notebooks, and netbooks, to access College technology resources are responsible for the following:
- Abiding by the requirements identified within this document;
- Configuring personal device(s) to be able to connect to College technology resources;
- Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a College technology resource; and,
- All transactions made under their authentication to a College technology resource.
The College is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices, including loss, theft, or damage.
The Chief Information Security Officer (“CISO”) is responsible for the implementation and enforcement of this standard. Information Technology (“IT”) is responsible for Clarkson College authentication systems, verifying authentication credentials provided, troubleshooting authentication issues, and performing vulnerability scans of the campus network. IT is not responsible for configuring the use of personal devices to connect to Clarkson College technology resources.
Procedure:
Personal Device Use
Individuals who elect to utilize a personal device to access Clarkson College technology resources, whether for personal use, Clarkson College business, on Clarkson College time, or during business travel, must:
- Abide by the College Computing Policy (IT-2);
- Maintain and back up the personal data stored on the device;
- Ensure the physical security of the device to prevent loss, theft, and/or damage;
- Report lost or stolen devices that contained College Data to their supervisor and IT; and,
- Ensure the device meets the security requirements identified within Section 3 of this document.
A personally owned device must never disrupt the use or function of the campus network and/or the College information system to which it is connected. The College will ban or prevent any device from accessing the campus network that continually causes disruptions to College technology resources.
Personally owned devices must never be used as a College server or networking device, including use as a router or hotspot to connect other College technology resources physically connected to the campus network.
Personally owned devices must never be used in order to circumvent security controls put in place by IT.
Device Security
To prevent others from obtaining unauthorized access, the device must remain under the owner’s Effective Control at all times.
All devices that connect to College technology resources and/or access College data must meet the following security requirements:
- Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint;
- Passwords/passphrases must meet the minimum requirements:
- Devices that accept multiple-character passwords:
- Must contain at least 16 characters.
- Characters must be a mixed case of letters, numbers, and symbols (consider using 4-7 random words).
- Must be unique and used for only one account.
- Devices that only accept a pin code:
- Must have at least a 6-digit pin.
- Devices that accept multiple-character passwords:
- Have an anti-virus software installed and running real-time scanning and/or scan the device regularly to prevent, detect, and remove malware.
- Be configured to lock or logout and require a user to re-authenticate if left unattended for more than 5 minutes. Devices that do not support this capability must be secured alternatively, such as restricting access in a locked room;
- Run a supported operating system that is patched and updated regularly; and,
- Be configured to allow the owner to remote wipe in the event the device is lost or stolen.
- Must support and have encryption enabled.
Devices that are jailbroken, rooted, or have been subject to any other method of changing built-in protections must not be used to access College technology resources.
The device must support WPA3 and AES.
Conducting College Business
Pursuant to the Computing Policy (IT-2) and Risk Classification Guide, the College provides the use of College technology resources, including devices, which must be used by authorized Individuals as the primary means to create, store, send, or receive College data.
- De minimis use of personally owned devices is permitted to access College data and/or conduct College business provided the device meets the security requirements identified within Section 3 of this Standard.
- Use of a personal device as the primary means to create, store, send, or receive College data is prohibited.
Employees who access sensitive data for their job must primarily use a College Device. If a College Device is not available, a personally owned device may be used only if it has been pre-approved by the CISO and is utilizing an approved College remote access solution to access sensitive data.
Software licensed to the College must never be downloaded to a personally owned device unless specifically permitted by the license (e.g., Microsoft Office).
College data is subject to document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders) stored on a personally owned device, and must be produced upon the request of the College.
The College may at any time request the return and/or deletion of any College data stored on a personally owned device.
Any College data downloaded to a personally owned device must be destroyed, removed, or returned to the College once the individual:
- Is no longer employed by the College;
- No longer requires access to the College data due to changing job responsibilities; or,
- Is no longer the owner or primary user of the device.
Exceptions
Antivirus software is not required on mobile devices such as cell phones and tablet computers.
Definitions
- “Authentication” means verifying the identity of a user, process, or device to allow access to a College Technology Resource.
- "Effective Control” means when a traveler either retains physical possession of the device or secures the device in an environment such as a hotel safe, a bonded warehouse, or a locked and guarded exhibition facility.
- “Jailbroken” means the process of modifying an iOS device, such as an iPhone or iPad, to bypass restrictions imposed by Apple to allow the owner to modify the operating system, install non-approved applications, and grant the user elevated administration-level privileges.
- “Real-Time Scanning” means the anti-virus software is always on and checks files in real time when they are created, opened, or copied.
- “Remote Wipe” means a security feature that allows data on a device to be deleted without physically possessing the device.
- “Rooted” means the process of allowing Android users to attain privileged control over subsystems to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user.
- “Supported Operating System” means the entity providing the Operating System (OS), be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
- “College Data” means anything that contains information regarding the College made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items. See EC-2 Record Retention Policy and Schedule.
- “College Technology Resources” means College-owned hardware, software, and network/communications equipment, technology facilities, and other relevant hardware and software items, as well as personnel tasked with the planning, implementation, and support of technology. College Technology Resources can be broken into the following categories:
- Campus Network means the wired and wireless components and College Technology Resources connected to the network managed by the College.
- Device means a server, computer, laptop, tablet, or mobile device used to enter or access College Data from a College Information System.
- College Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the College, whether operated and managed by the College or a third-party vendor.
Academic Policies and Procedures
- Academic Honors (Policy AA-16)
- Academic Integrity (Policy SW-25)
- Academic Probation (Policy AA-20)
- Academic Related Activities and Travel Release (Policy SW-40)
- Academic Travel Abroad Release (Policy SW-11)
- Academic Year
- Acceptable Use-Personal Device
- Access to Campus Facilities (Policy SW-28)
- Admissions (Policy AD-1, AD-2, and AD-11)
- Advanced Standing Credit (Policy AA-47)
- Application and Enrollment Fee Waivers (Policy AD-4)
- Articulation Agreements
- Assessment of Student Success Skills (Policy OG-23)
- Auditing a Course (Policy AA-35)
- Background Checks and Drug Screening for Students (Policy SW-23)
- Student in Crisis (Policy SW-24)
- Bookstore Voucher (Policy SA-2)
- Business Ethics (Policy EC-21)
- Cancellation of Course (Policy AA-36)
- Change of Personal Information
- Code of Conduct (Policy SW-18)
- Collection of Delinquent Student Accounts (Policy SA-9)
- Computing (Policy IT-2)
- Conditional Acceptance and Recitation Requirements (Policy AD-11)
- Copyright (Policy IT-4)
- Course Load Requirements (Policy FA-6)
- Coursework Categories for Undergraduate Degrees
- Credit Hour Definition (Policy AA-55)
- Crime Awareness & Campus Security (Policy SW-5)
- Crime Reporting and Disclosures
- Undergraduate Deans List (Policy AA-27)
- Degree Progress Audit (Policy AA-5)
- Disbursement of Financial Aid (Policy FA-2)
- Discontinuance of an Academic Program (EC-24)
- Dismissal (Policy AA-24)
- Drug and Alcohol (Policy SW-15)
- Computing Policy (Policy IT-2)
- Email (Policy IT-1)
- Emergency Notification, Response and Evacuation (Policy SW-30)
- Emotional Support Animal (Policy SW-38)
- Equal Opportunity and Non- Discrimination (Policy SW-1)
- Family Education Rights & Privacy Act (Policy SS-9)
- FERPA Identify Verification
- Financial Aid Award (Policy FA-19)
- Financial Aid Eligibility Requirements (Policy FA-20)
- Forms Submission
- Freedom of Expression (Policy EC-22)
- Grade Change (Policy AA-37)
- Grade Point Average (Policy AA-29)
- Grade Reports
- Graduation Eligibility (Policy AA-8)
- Health and Safety Requirements (Policy SW-7)
- Help Desk (Policy IT-7)
- Identification Badge (Policy SS-10)
- Incident Reporting (Policy OG-6)
- Incomplete Grades (Policy AA-10)
- Independent Study (Policy AA-41)
- Information Security (Policy IT-11)
- Institutional Repository (Policy OG-30)
- Institutional Review of Research Involving Human Subjects (Policy OG-8)
- International Admissions & Transcripts (Policy AD-2)
- Interprofessional Education, Intercultural Development Inventory (IDI), and Service (AA-54)
- Issuing Timely Warnings (Policy SW-32)
- Last Date of Attendance (Policy AA-63)
- Law Enforcement on Campus (Policy SW-33)
- Leave of Absence (Policy AA-30)
- Letter Grades and Quality Points (Policy AA-6)
- Liability Insurance (Policy SW-12)
- Library Collection Development (Policy OG-29)
- Media (Policy OG-12)
- Missing Student (Policy SW-34)
- Non-Smoking (Policy SW-16)
- Online Education
- Organizational Governance-Policy Guidelines (OG-15)
- Petition for a Course Offering
- Student Petition for Reconsideration (Policy SW-22)
- Privacy (Policy IT-3)
- Professional Judgment (Policy FA-17)
- Program Completion (Policy AA-17)
- Progression (Policy AA-2)
- Public Address System (Policy OG-3)
- Public Complaint (Policy EC-20)
- Readmission (Policy AD-10)
- Registration/Add a Course (Policy AA-32)
- Reporting Criminal Offenses (Policy SW-36)
- Credit Hour Residency Requirement (Policy AA-28)
- Records Retention (Policy EC-2)
- Satisfactory Academic Progress for Financial Aid Eligibility (FA-21)
- Security Awareness Programs (Policy SW-37)
- Service Animal (Policy SW-39)
- Sexual Misconduct (Policy SW-27)
- Social Media (Policy OG-28)
- State Authorization
- Statement of Financial Responsibility (Policy SA-12)
- Student Accommodations (Policy SW-2)
- Student Classifications & Status
- Student Emergency Fund
- Student Grievance (Policy SW-14)
- Student Location & Disclosures for Professional Licensure or Certification Disclosure (Policy OG-33)
- Student Parking (Policy SS-1)
- Teach-Out (Policy AA-64)
- Transcripts
- Transfer Credit (Policy AA-52)
- Tuition and Fees Payment Plan (Policy SA-10)
- Tuition Refund (Policy SA-6)
- Undergraduate Class Standing (Policy AA-38)
- Weather-Related School Closing (Policy OG-4)
- Withdrawal From Course Grade (Policy AA-3)
