Computing Policy (Policy IT-2)

The purpose of this Computing policy ("Policy") is to set forth guidelines so that members of our community may use the campus network and computing facilities in ways that are responsible and respectful of privacy.

This policy applies to all users of Clarkson College’s ("College") information systems, including students, faculty and staff, and any others granted the use of college information systems and data. It applies to the use of all computing facilities owned, leased, operated, or contracted by the College. As used in this policy, terms such as “computing,” “computing/information systems,” “information resources,” “devices”, etc., refer to all computers, communication systems, and peripherals, internet of things, software, telephones, and systems with similar functions, which are owned or leased by the College, or which utilize College infrastructure such as telephone lines or computer networks.

Although this policy does not attempt to deal specifically with legal issues, college members are responsible to act in compliance with the law, including any federal, state, and local laws governing computer and telecommunications use, as well as all other applicable college policies.

 

Procedure:

Privileges and Responsibilities

Every member of the Clarkson community who uses computing and related communications systems at the College, or systems that belong to the College or which rely on the College’s infrastructure has the responsibilities described in this policy. This includes members of the Clarkson community who have restricted privileges, such as alumni who may have electronic mail access only. Individuals with personally owned devices, but who rely upon the colleges network to connect those devices are expected to abide by the policies set forth in this document. Personally owned devices operating independently or networked through a non-college connection are not covered under this policy.

Access to the College’s information systems is contingent upon being a member of the College community and adhering to college and Information Technology policies, guidelines, and procedures, including this policy. Misuse may result in the loss of access and/or college disciplinary action. For some users and certain systems, access may be authorized by specific departments. In such cases, any department- or group-specific policies and guidelines must be adhered to when using resources provided by the department or group. This is in addition to college policies and Information Technology guidelines and procedures.

Any user who suspects a violation of the college’s Information Systems use policies, or who has knowledge of potential vulnerabilities or security loopholes in a system or network at the College, should immediately notify the Information Security Team at infosec@clarksoncollege.edu.

Maintain the Security and Confidentiality of your Account

Users assume personal responsibility for the actions associated with their computer accounts. This responsibility begins with selecting a secure password and involves maintaining the confidentiality of that password and changing the password regularly and/or enabling multi-factor authentication in order to assure the continued security of your account. For guidance in selecting a secure password and/or enabling multi-factor authentication, please contact the IT Help Desk. If you believe that someone has made unauthorized use of your account, you should change your password immediately and report the incident to the IT Help Desk.  No employee may disclose his/her login IDs and passwords to anyone, including other College employees, without proper authorization.

Software Installation and Use

Software is only permitted to be installed on Clarkson College equipment by authorized personnel once reviewed and approved by the Information Technology department.

Employees shall use computer software only in accordance with applicable licensing agreements.  No employee may copy or attempt to copy copyrighted software, run or attempt to run illegally copied software (either at the College or by means of College resources), or in any other way violate license agreements into which the College has entered.”

Respect for Others’ Property and Privacy Rights

Users are responsible to respect copyright agreements and intellectual property ownership. Any material that is the work of another, whether explicitly copyrighted or not, should not be distributed by any user without appropriate acknowledgement and/or permission of the creator. Unless permission has been granted by the owner of copyright protected materials, distribution of copyright protected material via the college network or information systems is prohibited.  See policy IT-4 Copyright for more information.

Improper/Illegal Communications

Any communications that would be improper or illegal on any other medium are equally so on information systems: libelous material, obscene messages, harassment, forgery, threats, etc. However, this is not intended to restrict the free expression of ideas. Communication conducted in accordance with the college OG-22 Freedom of Expression will not be considered a violation of this policy.

Risks of Data Loss and Data Persistence

Although the college will make efforts to secure the network and college-controlled servers from abuse and damage, it cannot guarantee against data loss by a student, faculty or staff member, either on a college-operated or an individually owned device.

Personal Use

While the college makes information systems available primarily to achieve its goals of academic advancement and for administrative activities, it realizes the need to encourage the personal use of computing for the convenience of the campus community. Thus, it is reasonable to allow the use of information systems for activities that can facilitate convenience or enhance productivity, to the extent that the activity is within the limits described by Information Technology’s Policies. Any personal use of Information Systems related to operating a personal business or commercial enterprise is prohibited unless permission to do so has been specifically granted by the Vice President of Technology Services, Digital Transformation.

We reserve the right to restrict personal use of college systems and networks by an individual or by the community at large, if the use of resources for such activities becomes excessive.

Privacy

The user must presume that the contents of any other users’ directory are private unless expressly designated otherwise, just as one would presume that the contents of someone’s apartment or office are private. An unprotected account or shared device are not considered to be public unless the name or service expressly indicates that it is. In such cases, any files or other data which would appear to be private in nature, by virtue of the file name or data stored, even if “publicly accessible” should be considered to be private. The user accessing such files has a responsibility to ask the owner of the files or service if the files are intended to be publicly accessible before the user does more than a “cursory glance” sufficient to cause the question.

A user can explicitly grant access to his or her directories, files. However, users who issue general or vague invitations to browse through their files incur a special obligation to protect any material that they do not wish others to see. Indeed, all users are urged to maintain protection levels on their files consistent with the access they are actually willing to give to other users.

All data stored on Clarkson College systems and servers for the purpose of conducting operations is considered property of Clarkson College.  

College IT systems and resources may be subject to monitoring at any time, with or without notice, to verify that College property is being used in a manner consistent with all College policies.

Access to User Data

Electronic data on a user’s account, whether stored on a computer in the user’s office/room or elsewhere under the proprietary control of that user, may not be examined without the user’s consent, except in cases of emergency or security, in response to a valid subpoena, search warrant, order of a court, Information Security, or by specific request by the employees’ supervisor for the purpose of accessing work-related electronic data. Posting of data by a user on platforms available to the public or to users of the college shall be understood to imply consent, and electronic access given to specific parties by the user will likewise imply consent for those parties to access permitted data. Emergencies may include, for example, but are not limited to, the death, incapacity or disappearance of the user, or the search for and examination of files used for apparently malicious activity in an account which endangers the integrity of information systems, the network, or other aspects of the college’s computing infrastructure.

Only specifically designated individuals are permitted to determine what passes for an “emergency.”  Such individuals may be specifically designated or may be designated by job position/description for employees. For students the Vice President of Academic Affairs will be the designated to determine what is defined as an “emergency” aside for what was stated above.

Whenever possible and legally permissible, notification must be given to the user whose data are subject to subpoena, search warrant, or order of court prior to compliance therewith. Any intrusion by an employee of the College into a user’s electronic data must be reported to the user as soon as possible, and within five days of the event via electronic mail unless prohibited by order of court, or due to a continuance of an ongoing investigation by the College. Violation of any aspect of this policy is a sanctionable offense.

In cases where a staff member believes that electronic data in their account has been inappropriately accessed by another staff member, the incident should be reported to Human Resources. For students, it should be reported to the Vice President of Academic Affairs.

Note: Removable media such in a faculty or staff office, or in a residence hall suite are not subject to search by Information Technology, though Information Technology will assist authorized law enforcement agencies or authorities to read data after they are obtained, at the agencies’ or authorities’ request.

Protecting Confidential Information

Users who maintain confidential information, such as records relating to employees or students, are responsible for following privacy-related policies, laws, and data use agreements.

Protecting Personal Information

As is described throughout this policy, data transmitted across the college’s network or stored on college systems may be accessed by others as a result of misuse by an individual, as an incidental result of the routine operation of the network and systems, or in response to a court subpoena or college investigation into suspected or alleged misuse. While complete privacy of personal data may not be possible, users who wish to ensure a higher degree of privacy for their data are encouraged to use encryption, PGP security, or other techniques to reduce the risk that others may access their data.

Misuse and Inappropriate Behavior

The following activities are expressly prohibited at Clarkson College:

Using a computer system without proper authorization granted through a college official. Some activities such as “port scanning” are not expressly prohibited. However, if the target of such scanning requests that an individual or system stop performing such actions, the person or system performing the scans must stop scanning the target machine and/or networks unless the scans are being carried out by a privileged user who has the authority and responsibility over the machine(s) being scanned or for the network being used.
Concealing your identity, or assuming the identity of another (e.g., by sending forged electronic mail). Note that some forms of electronic communication, such as browsing Web pages, passively “identify” users. Keeping your identity private either by not setting an identity in your browser or by using a Web-anonymizer in order to protect yourself from being put onto mailing lists is not a violation of this policy.
Sharing your account with the specific exception of staff or faculty members allowing their administrative support personnel to access their accounts in order to provide services appropriate to their job functions. Note that individual account password sharing is explicitly forbidden.
Using another person’s computer account, user id, files, or data without appropriate permission, as described in the previous bullet (e.g., using an account found “logged in”).
Deleting or tampering with another user’s files or with information stored by another user on any information-bearing medium (disk, tape, memory, etc.). Even if the user’s files are unprotected, apart from files obviously intended for public reading, such as Web pages, it is improper for another user to read them unless the owner has given permission (e.g., in an announcement in class).
Attempting to “crack” or guess other users’ passwords. Privileged Users or those specifically designated by the administrator or owner of a system may attempt to crack passwords in order to test and enhance the security of the system. In cases where an individual or department “owns” machines which use password files controlled by another organization (e.g., Information security course machines or their like), the owner may not attempt to crack passwords without explicit permission by the owners of the password database.
Obtaining passwords by other means, such as password capturing, phishing, and key logging programs.
Attempting to circumvent system security (e.g., breaking into a system or using programs to obtain “root” or “administrative” access), without the explicit permission of the owner of that system.
Denying permitted and appropriate access to resources to other users (e.g., Denial of service attacks.).
Releasing malicious code, malware, etc., that disrupt other users, damage software, or hardware, disrupt network performance, or replicate themselves for malicious purpose.
Sending commercial solicitations via electronic means (i.e., spamming) to individuals, or to newsgroups or mailing lists where such advertising is not part of the purpose of the group or list.
Any “mass mailing” which is solicitous in nature, unless the mailing is in the conduct of college business.
Reselling of services based on the college network, such as web hosting, mailing services or the selling of shell accounts.
Running a proxy server which results in inappropriate or unauthorized access to college materials to non-college members.
Advertising commercial businesses or ventures on Web pages hosted by Clarkson, unless prior authorization has been granted.

Using mail messages to harass or intimidate another person (such as by repeatedly sending unwanted mail or broadcasting unsolicited mail).

Violations of any local, state, or federal laws, such as the distribution of copyright-protected materials (e.g., the distribution of commercial software, music, or films in electronic format without appropriate permissions by the owner, even if the user distributing the materials notifies others of their copyright status).
Tampering with, willful destruction of or theft of any computer equipment, whether it belongs to the college or to an individual. Tampering includes any deliberate effort to degrade or halt a system, or to compromise the system/network performance. Willful destruction includes any deliberate disabling or damaging of computer systems, peripheral equipment such as scanners or printers, or other facilities or equipment including the network, and any deliberate destruction or impairment of software or other users’ files or data.
The unauthorized removal of college’s or another's computing equipment, which constitutes theft.

 This list should not be considered to be complete or exhaustive. It should, however, serve as a set of examples of obviously inappropriate behaviors. If you are in doubt about the appropriateness of something that you want to do, contact the IT Help Desk and ask first.

Enforcement

Inappropriate behavior in the use of computers is punishable under the information security policies and regulations regarding faculty, staff, and students. The offenses mentioned in this policy range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. Certain offenses may also be subject to prosecution under federal, state, or local laws.

Appropriate disciplinary action depends not only on the nature of the offense, but also on the intent and previous history of the offender. The range of possible penalties includes reprimands, loss of computing privileges, course failures for students, disciplinary probation, suspension or dismissal from the college and/or criminal prosecution.

Offenses that are minor or appear to be accidental in nature are often handled in a very informal manner such as through electronic mail. More serious offenses involve formal procedures pursued through the Vice President of Academic Affairs for students, Human Resources and/or the respective Vice President for staff and faculty.

Restrictions of Privileges During Investigations

During the course of an investigation of alleged inappropriate or unauthorized use, it may be necessary to temporarily suspend a user’s network or computing privileges, but only after determining there is at least a prima facie case against the individual, as well as a risk to the college or its information resources if privileges are not revoked. In these cases, it is important to recognize that the restriction of network or computing privileges is intended to protect the system rather than to punish the individual. For example, if a computer account has been used to launch an attack on another system, that account will be rendered inactive until the investigation and/or response effort is complete. This is a necessary action taken to prevent further misuse and does not presume that the account holder initiated the misuse.  Unsubstantiated reports of abuse will not result in the suspension of accounts or network access unless sufficient evidence is provided to show that inappropriate activity occurred. For example, if someone reports that their computer was “attacked” by a Clarkson system, the burden will be upon the complainant to provide sufficient data logs or other evidence to show that the incident did, indeed at least appear to be an attack.

Adverse Impact on Shared Systems

The college reserves the right to discontinue communication with external systems that are known to harbor malicious actors and/or content (e.g., spammers, account crackers, and phishing sites) even though this may restrict certain acceptable communications. When deemed necessary, this action will be taken to protect the security and safety of our systems. Similarly, there may be cases where a particular service or activity on a given college system will, by the very nature of its legitimate operation, tend to generate attacks from other Internet sites. If these attacks are frequent and severe enough to cause service interruptions for larger parts of the campus community, it may be necessary to temporarily or permanently remove these systems from the campus network. In cases where such an action is deemed necessary, network administrators will work with the maintainers of the system to identify alternative methods of network access. In cases where the college restricts access to external sites or removes network access for internal sites, the purpose of the action is to maintain the security and reliability of the computer systems and networks rather than to punish an individual or a site, or to restrict the free expression of ideas.

This policy will be placed in the College Academic Catalog for all students to read. An email will be sent annually to all students disclosing this policy.