Acceptable Use Policy

Purpose

The purpose of the Iowa Lakes Community College Acceptable Use Policy is to establish acceptable practices regarding the use of Iowa Lakes Community College Information Resources in order to protect the confidentiality, integrity and availability of information created, collected, and maintained.

Audience

The Iowa Lakes Community College Acceptable Use Policy applies to any individual, entity, or process that interacts with any Iowa Lakes Community College Information Resource.

Contents

Acceptable Use Mobile Devices and Bring Your Own Device (BYOD)
Access Management Physical Security
Authentication/Passwords Privacy
Clear Desk/Clear Screen Removable Media
Data Security Security Training and Awareness
Email and Electronic Communication Social Media
Hardware and Software Voice Mail
Internet Incidental Use

Policy

Acceptable Use

  • Personnel are responsible for complying with Iowa Lakes Community College policies when using Iowa Lakes Community College  information resources and/or on Iowa Lakes Community College time. If requirements or responsibilities are unclear, please seek assistance from the Security Committee.
  • Personnel must promptly report the theft, loss, or unauthorized disclosure of Iowa Lakes Community College confidential or internal information to the Security Committee.
  • Personnel should not purposely engage in activity that may 
    • harass, threaten, or abuse others; 
    • degrade the performance of Iowa Lakes Community College Information Resources; 
    • deprive authorized Iowa Lakes Community College personnel access to a Iowa Lakes Community College Information Resource; 
    • obtain additional resources beyond those allocated; 
    • or circumvent Iowa Lakes Community College computer security measures.
  • Personnel should not download, install, or run security programs or utilities that reveal or exploit weakness in the security of a system. For example, Iowa Lakes Community College personnel should not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any Iowa Lakes Community College Information Resource.
  • All inventions, intellectual property, and proprietary information, including reports, drawings, blue prints, software codes, computer programs, data, writings, and technical information, developed on Iowa Lakes Community College time and/or using Iowa Lakes Community College Information Resources are the property of Iowa Lakes Community College.
  • Use of encryption should be managed in a manner that allows designated Iowa Lakes Community College personnel to promptly access all data. 
  • Iowa Lakes Community College Information Resources are provided to facilitate company business and should not be used for personal financial gain.
  • Personnel are expected to cooperate with incident investigations, including any federal or state investigations.
  • Personnel are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used, or obtained using Iowa Lakes Community College Information Resources.
  • Personnel should not intentionally access, create, store or transmit material which Iowa Lakes Community College may deem to be offensive, indecent, or obscene.

Access Management

  • Access to information is based on a “need to know”.
  • Personnel are permitted to use only those network and host addresses issued to them by Iowa Lakes Community College IT and should not attempt to access any data or programs contained on Iowa Lakes Community College systems for which they do not have authorization or explicit consent.
  • All remote access connections made to internal Iowa Lakes Community College networks and/or environments must be made through approved, and Iowa Lakes Community College-provided, virtual private networks (VPNs).
  • Personnel should not divulge any access information to anyone not specifically authorized to receive such information.
  • Personnel must not share their Iowa Lakes Community College authentication information, including:
    • Account passwords, 
    • Personal Identification Numbers (PINs), 
    • Security Tokens (i.e. Smartcard), 
    • Access cards and/or keys,
    • Digital certificates, 
    • Similar information or devices used for identification and authentication purposes.
  • Lost or stolen access cards, security tokens, and/or keys must be reported to the person responsible for Information Resource physical facility management as soon as practical.
  • A service charge may be assessed for access cards, security tokens, and/or keys that are lost, stolen, or are not returned.

Authentication/Passwords

  • All personnel are required to maintain the confidentiality of personal authentication information. 
  • Any group/shared authentication information must be maintained solely among the authorized members of the group. 
  • All passwords, including initial and/or temporary passwords, must be constructed, and implemented according to the following Iowa Lakes Community College rules:
    • Must meet all requirements established in the Iowa Lakes Community College Authentication Standard, including minimum length, complexity, and rotation requirements.
    • Must not be easily tied back to the account owner by using things like: user name, social security number, nickname, relative’s names, birth date, etc.
    • Should not include common words, such as using dictionary words or acronyms.
    • Should not be the same passwords as used for non-business purposes.
  • Password history must be kept preventing the reuse of passwords.
  • Unique passwords should be used for each system, whenever possible.
  • User account passwords must not be divulged to anyone.  Iowa Lakes Community College support personnel and/or contractors should never ask for user account password. Passwords could be shared with IT staff and the user will be forced to change the password at next logon.  
  • Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with Iowa Lakes Community College, if issued.
  • If the security of a password is in doubt, the password should be changed immediately.
  • Personnel should not circumvent password entry with application remembering, embedded scripts or hard coded passwords in client software.  
  • Password vaulting applications (password keeper, LastPass, etc.) are acceptable to utilize to keep passwords safe.

Clear Desk/Clear Screen

  • Personnel should log off from applications or network services when they are no longer needed. 
  • Personnel should log off or lock their workstations and laptops when their workspace is unattended.
  • Confidential or internal information should be removed or placed in a locked drawer or file cabinet when the workstation is unattended and at the end of the workday if physical access to the workspace cannot be secured by other means.
  • Personal items, such as phones, wallets, and keys, should be removed or placed in a locked drawer or file cabinet when the workstation is unattended.
  • File cabinets containing confidential information should be locked when not in use or when unattended.
  • Physical and/or electronic keys used to access confidential information should not be left on an unattended desk or in an unattended workspace if the workspace itself is not physically secured.
  • Laptops should be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday if the laptop is not encrypted.
  • Passwords must not be posted on or under a computer or in any other physically accessible location.
  • Copies of documents containing confidential information should be immediately removed from printers and fax machines.

Data Security

  • Personnel should use approved encrypted communication methods whenever sending confidential information over public computer networks (Internet). 
  • Confidential information transmitted via USPS or other mail service must be secured in compliance with the Information Classification and Management Policy.
  • Only authorized cloud computing applications may be used for sharing, storing, and transferring confidential or internal information.
  • Information must be appropriately shared, handled, transferred, saved, and destroyed, based on the information sensitivity.
  • Personnel should not have confidential conversations in public places or over insecure communication channels, open offices, and meeting places.
  • Confidential information must be transported either by an Iowa Lakes Community College employee or a courier approved by IT Management.
  • All electronic media containing confidential information must be securely disposed. Please contact IT for guidance or assistance. 

Email and Electronic Communication

  • Electronic communications should not misrepresent the originator or Iowa Lakes Community College.
  • Personnel are responsible for the accounts assigned to them and for the actions taken with their accounts. 
  • Accounts must not be shared without prior authorization from Iowa Lakes Community College IT, except for calendars and related calendaring functions.
  • Any personal use of Iowa Lakes Community College provided email should not:
    • Involve solicitation.
    • Be associated with any political entity, excluding the Iowa Lakes Community College sponsored PAC.
    • Have the potential to harm the reputation of Iowa Lakes Community College.
    • Forward chain emails.
    • Contain or promote anti-social or unethical behavior.
    • Violate local, state, federal, or international laws or regulations.
    • Result in unauthorized disclosure of Iowa Lakes Community College confidential information.
  • Personal email accounts should not be used to send confidential information.
  • Personnel should only send confidential information using Iowa Lakes Community College secure electronic messaging solutions. 
  • Personnel should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
  • Personnel should use discretion in disclosing confidential or internal information in Out of Office or other automated responses, such as employment data, internal telephone numbers, location information or other sensitive data.

Hardware and Software

  • All hardware must be formally approved by IT Management before being connected to Iowa Lakes Community College networks.
  • All Iowa Lakes Community College Iowa Lakes Community College assets taken off-site should always be physically secured.
  • Personnel traveling to a High-Risk location, as defined by FBI and Office of Foreign Asset control, must contact IT for approval to travel with corporate assets.
  • Employees should not allow family members or other non-employees to access Iowa Lakes Community College Information Resources.

Internet

  • The Internet must not be used to communicate Iowa Lakes Community College confidential or internal information, unless the confidentiality and integrity of the information is ensured, and the identity of the recipient(s) is established. 
  • Use of the Internet with Iowa Lakes Community College networking or computing resources must only be used for business-related activities. Unapproved activities include, but are not limited to: 
  • Accessing or distributing pornographic or sexually oriented materials,
    • Attempting or making unauthorized entry to any network or computer accessible from the Internet. 
  • Access to the Internet from outside the Iowa Lakes Community College network using a Iowa Lakes Community College owned computer must adhere to all of the same policies that apply to use from within Iowa Lakes Community College facilities. 

Mobile Devices and Bring Your Own Device (BYOD)

  • The use of a personally-owned mobile device to connect to the Iowa Lakes Community College network is a privilege granted to employees only upon formal approval of IT Management.
  • All personally-owned laptops and/or workstations must have approved virus and spyware detection/protection software along with personal firewall protection active. 
  • Mobile devices that access Iowa Lakes Community College email must have a PIN or other authentication mechanism enabled.
  • Confidential data should only be stored on devices that are encrypted in compliance with the Iowa Lakes Community College Encryption Standard. 
  • Iowa Lakes Community College confidential information should not be stored on any personally-owned mobile device.
  • Theft or loss of any mobile device that has been used to create, store, or access confidential or internal information must be reported to the Iowa Lakes Community College Security Team immediately. 
  • All mobile devices must maintain up-to-date versions of all software and applications. 
  • All personnel are expected to use mobile devices in an ethical manner.
  • Jail-broken or rooted devices should not be used to connect to Iowa Lakes Community College Information Resources. 
  • Iowa Lakes Community College IT Management may choose to execute “remote wipe” capabilities for mobile devices without warning (see Mobile Device Email Acknowledgement).  
  • In the event that there is a suspected incident or breach associated with a mobile device, it may be necessary to remove the device from the personnel’s possession as part of a formal investigation.
  • All mobile device usage in relation to Iowa Lakes Community College Information Resources may be monitored, at the discretion of Iowa Lakes Community College IT Management.
  • Iowa Lakes Community College IT support for personally-owned mobile devices is limited to assistance in complying with this policy.  Iowa Lakes Community College IT support may not assist in troubleshooting device usability issues.
  • Use of personally-owned devices must follow all other Iowa Lakes Community College policies.
  • Iowa Lakes Community College reserves the right to revoke personally-owned mobile device use privileges if personnel do not abide by the requirements set forth in this policy.
  • Texting or emailing while driving is not permitted while on company time or using Iowa Lakes Community College resources. Only hands-free talking while driving is permitted, while on company time or when using Iowa Lakes Community College resources.

Physical Security

  • Photographic, video, audio, or other recording equipment, such as cameras in mobile devices, is not allowed in secure areas. 
  • Personnel must always display photo ID access card while in the building. 
  • Personnel must badge in and out of access-controlled areas. Piggy-backing, door propping and any other activity to circumvent door access controls are prohibited. 
  • Visitors accessing card-controlled areas of facilities must have an approved temporary authorization badge.
  • Eating or drinking are not allowed in data centers. Caution must be used when eating or drinking near workstations or information processing facilities.

Privacy

  • Information created, sent, received, or stored on Iowa Lakes Community College Information Resources are not private and may be accessed by Iowa Lakes Community College IT employees at any time, under the direction of Iowa Lakes Community College executive management and/or Human Resources, without knowledge of the user or resource owner.
  • Iowa Lakes Community College may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems.
  • Systems Administrators, Iowa Lakes Community College IT, and other authorized Iowa Lakes Community College personnel may have privileges that extend beyond those granted to standard business personnel.  Personnel with extended privileges should not access files and/or other information that is not specifically required to carry out an employment related task.

Removable Media

  • The use of removable media for storage of Iowa Lakes Community College information must be supported by a reasonable business case.
  • All removable media use must be approved by Iowa Lakes Community College IT prior to use.
  • Personally-owned removable media use is not permitted for storage of Iowa Lakes Community College information.
  • Personnel are not permitted to connect removable media from an unknown origin, without prior approval from the Iowa Lakes Community College IT.
  • Confidential and internal Iowa Lakes Community College information should not be stored on removable media without the use of encryption.
  • The loss or theft of a removable media device that may have contained Iowa Lakes Community College information must be reported to the Iowa Lakes Community College IT.

Security Training and Awareness

  • All new personnel must complete an approved security awareness training class prior to, or at least within 30 days of, being granted access to any Iowa Lakes Community College Information Resources.
  • All personnel must be provided with and acknowledge they have received and agree to adhere to the Iowa Lakes Community College Information Security Policies before they are granted to access to Iowa Lakes Community College Information Resources. 
  • All personnel must complete the annual security awareness training.

Social Media

  • Any social media page or account that is created on behalf of Iowa Lakes Community College, must include the Iowa Lakes Web Specialist as an account administrator, as well as a member of the President’s Cabinet.
    • Example 1: A program Facebook page should add their Campus Dean and the Web Specialist as an account administrator.
    • Example 2: A department, Admissions, should add the Executive Dean of Students and the Web Specialist as an account administrator. 
  • Communications made with respect to social media should be made in compliance with all applicable Iowa Lakes Community College policies.
  • Personnel are personally responsible for the content they publish online.
  • Creating any public social media account intended to represent Iowa Lakes Community College, including accounts that could reasonably be assumed to be an official Iowa Lakes Community College account, requires the permission of the Iowa Lakes Community College Marketing Department. 
  • When discussing Iowa Lakes Community College or Iowa Lakes Community College -related matters, you should:
    • Identify yourself by name,
    • Identify yourself as an Iowa Lakes Community College representative, and
    • Make it clear that you are speaking for yourself and not on behalf of Iowa Lakes Community College, unless you have been explicitly approved to do so.
  • Personnel should not misrepresent their role at Iowa Lakes Community College.
  • When publishing Iowa Lakes Community College -relevant content online in a personal capacity, a disclaimer should accompany the content.  An example disclaimer could be; “The opinions and content are my own and do not necessarily represent Iowa Lakes Community College’s position or opinion.”
  • Content posted online should not violate any applicable laws (i.e. copyright, fair use, financial disclosure, or privacy laws).
  • The use of discrimination (including age, sex, race, color, creed, religion, ethnicity, sexual orientation, gender, gender expression, national origin, citizenship, disability, or marital status or any other legally recognized protected basis under federal, state, or local laws, regulations, or ordinances) in published content that is affiliated with Iowa Lakes Community College will not be tolerated.
  • Confidential information, internal communications and non-public financial or operational information may not be published online in any form.
  • Personal information belonging to customers may not be published online.  
  • Personnel approved to post, review, or approve content on Iowa Lakes Community College social media sites must follow the Iowa Lakes Community College Social Media Procedures.

Voice Mail 

  • Personnel should use discretion in disclosing confidential or internal information in voice mail greetings, such as employment data, internal telephone numbers, location information or other sensitive data.
  • Personnel should not access another user’s voicemail account unless it has been explicitly authorized.

Incidental Use

  • As a convenience to Iowa Lakes Community College personnel, incidental use of Information Resources is permitted. The following restrictions apply:
    • Incidental personal use of electronic communications, Internet access, fax machines, printers, copiers, and so on, is restricted to Iowa Lakes Community College approved personnel; it does not extend to family members or other acquaintances.
    • Incidental use should not result in direct costs to Iowa Lakes Community College.
    • Incidental use should not interfere with the normal performance of an employee’s work duties.
    • No files or documents may be sent or received that may cause legal action against, or embarrassment to, Iowa Lakes Community College or its customers.
  • Storage of personal email messages, voice messages, files and documents within Iowa Lakes Community College Information Resources must be nominal
  • All information located on Iowa Lakes Community College Information Resources are owned by Iowa Lakes Community College may be subject to open records requests, and may be accessed in accordance with this policy.

Definitions

See Appendix A: Definitions

References

  • ISO 27002: 6, 7, 8, 9, 11, 12, 13, 16, 18
  • NIST CSF: PR.AC, PR.AT, PR.DS, DE.CM, DE.DP, RS.CO
  • Iowa Lakes Community College Information Classification Policy
  • Iowa Lakes Community College Incident Management Policy
  • Iowa Lakes Community College Asset Management Policy
  • Iowa Lakes Community College Personnel Security Policy
  • Iowa Lakes Community College Identity and Access Management Policy
  • Iowa Lakes Community College Encryption Policy
  • Iowa Lakes Community College Physical Security Policy
  • Iowa Lakes Community College Security Training and Awareness Policy

Waivers

Waivers from certain policy provisions may be sought following the Iowa Lakes Community College Waiver Process.

Exceptions

Auto-forwarding electronic messages outside the Iowa Lakes Community College internal systems is prohibited. 

Software installed on Iowa Lakes Community College equipment must be approved by IT Management and installed by Iowa Lakes Community College IT personnel.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.  

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Version History

Version  Modified Date Approved Date Approved By Reason/Comments
1.0.0 June 2019 Iowa Lakes Community College Document Origination