Information Security and Acceptable Use

  • Procedure Type: Information Technologies
  • Procedure Title: Information Security and Acceptable Use
  • Procedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technology Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Overview
This Administrative Procedure defines OCC organizational expectations for responsible use of OCC information technology by building a culture of information security risk awareness and mitigation.

Authority
OCC must comply with information security requirements defined by applicable federal and state regulations, OCC policies, and contractual obligations. This includes, but is not limited to Michigan Act 566 (PA of 2006), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and
Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Gramm–Leach–Bliley Act (GLBA), the FBI's Criminal Justice Information Services (CJIS) Security Policy, Department of Education (DOE) and Digital Millennium Copyright Act (DMCA).

Intellectual Property Ownership
This Policy does not create or supersede any existing ownership rights to intellectual property. Existing intellectual property ownership rights defined by applicable law, OCC policy, regulations, or contractual agreements do not change based on storage location. OCC personnel who may have access to content in the course of performing job responsibilities do not obtain ownership rights to that content.

Roles & Responsibilities
Appropriate levels of information security can only be achieved with a well-coordinated team effort across the OCC organization. Stakeholders must work together to identify risks and take responsibility for appropriate controls.

IT
IT promotes compliance and transparent discussion of risks associated with OCC Information Technology.IT has oversight responsibility including establishing the Information Security and Acceptable Use Policy and related Information Security Procedures, testing for compliance, and reporting risk to internal and external stakeholders.

Data Owners (DO)
The DO is typically the responsible manager or department that collects or is the primary user of a data asset. DOs are responsible for achieving compliance with this Policy, applying for exemptions when justified, and accepting residual risk when security threats cannot be further mitigated. DO responsibilities include approving or denying requests to access their data and periodically reviewing access assignments and recommending or taking corrective action if inappropriate access is detected.

Data Custodian (DC)
The DC is designated by IT and assists with the ongoing operational tasks of managing information assets. For example, server and application administrators and software developers may be considered DCs.

Data User (DU)
DUs are the individuals who the DOs authorized to access a data asset. DUs typically have no role in determining the security requirements for the information asset or performing server or application maintenance. Nonetheless, DUs must understand and abide by the security requirements of the information asset and the expectations of this Policy.

Data Classification
All College Data is subject to a risk-based data classification standard maintained by IT and must be protected accordingly. Classifications are, Confidential Data, Controlled Data, and Public Data. Data classification is the primary factor for establishing necessary security controls. Additional controls may be warranted for systems where integrity, availability, and/or accountability requirements are more critical than the requirements for confidentiality.

Confidential Data
Confidential data is information pertaining to a person or entity that if disclosed could reasonably be expected to put the person or the entity at risk of damage to their financial standing, employability or reputation, if the information was released to the public or used carelessly (criminal act). The College is bound by law to protect some types of confidential data.

Confidential data should be shared only as mandated by law or as required for administrative or educational functionality. Examples of confidential data include the following:

  1. Social Security Number
  2. Credit Card Holder Information
  3. Checking or Savings Account information or other bank account numbers
  4. Debit card number
  5. Passwords
  6. Disability Information
  7. Health and Medical Information

Controlled Data
Controlled data is defined as information that is not confidential, but can be used as personally identifiable or private information. This data must be guarded due to proprietary, ethical or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or
other use.

This data is releasable in accordance with the Michigan Freedom of Information Act. Controlled data is generally restricted to users who have a legitimate purpose for access such information. Controlled data must be appropriately protected to ensure a controlled and lawful release.

One piece of Controlled data cannot in and of itself be used to identify anyone. Two or more pieces of data are needed. Examples of Controlled data include;

  1. Staff and student home addresses and phone numbers
  2. FERPA directory information
  3. Class lists
  4. Payroll information
  5. Beneficiary/ dependent information
  6. Campus safety and security incident reports
  7. Driver license numbers
  8. Date of birth
  9. Ethnicity
  10. Student records

Public Data
Public data is information that is open to the public and that can be freely given to anyone without any damage to the College or to an individual. Public data, while subject to College posting or disclosure procedures, is available to all users and to all individuals and entities external to the College community.
Examples of public data include:

  1. Publicly posted press releases by college administration
  2. Publicly posted scheduled of classes
  3. Published College Catalog
  4. Information authorized for posting on the College public website
  5. Online staff directory, interactive maps, newsletters
  6. Board of Trustee’s agenda and minutes

General
OCC Information Technology are provided for the purpose of conducting the business of OCC. However, Users are permitted to use OCC Information Technology for use that is incidental to the User's official duties to OCC as permitted by this Policy.

Users have no expectation of privacy when using OCC Information Technology except as otherwise provided by OCC's Privacy Policy and applicable privacy laws. OCC has the authority and responsibility to access and monitor OCC Information Technology for purposes consistent with OCC's duties and mission.

College Data created or stored on a User's personally owned computers, mobile computing devices, removable storage devices, or in databases that are not part of OCC's Information Technology are subject to Public Information Requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to OCC Information Technology. The table below is provided to help Users understand the expectations associated with various scenarios involving data and computing devices:

  OCC Information Technology Personally Owned Computing Device
College Data
  • In scope for this Policy

  • IT may have visibility in the course of performing job responsibilities – Users have no expectation of privacy

  • OCC has an interest in College Data
  • In scope for this Policy
  • IT has no monitoring capability, nor intent to pursue such capability
  • OCC has an interest in College Data, and User is required to cooperate if an investigation of possible risk to College Data is initiated
  • OCC has no interest in personally owned data, though personally owned data may be visible to OCC personnel in the course of performing an investigation
  • Users are discouraged from placing College Data onto personally owned computing devices
Personally owned Data 
  • In scope for this Policy

  • IT may have visibility in the course of performing job responsibilities – Users have no expectation of privacy

  • OCC has no interest in personally owned data and existing ownership rights remain unchanged

  • With the exception of personally owned data related to a User's job responsibilities (e.g. scholarly works), Users are discouraged from placing personally owned data onto OCC Information Technology
  • Out of scope for this Policy

  • IT has no monitoring capability, nor intent to pursue such capability – Users do have expectation of privacy, provided that College Data is not present

  • OCC has no interest in personally owned data

Users shall never use OCC Information Technology to deprive access to individuals otherwise entitled to access College Data, to circumvent OCC information security measures; or, in any way that is contrary to OCC's mission or applicable law.

Users in violation of Computer Fraud and Abuse Act of 1986 & Title 18 U.S.C. Sec 1030 (CFAA) will be subject to OCC disciplinary actions and may be turned over to Law Enforcement. Users may not intentionally deny access to designated administrators of OCC Information Technology.

Users may not delete logs from systems to hide possible security violations or prevent authorized investigations. This does not apply when done for other purposes, such as de-identifying research data.

All employee users shall complete initial and annual training covering general information security best practices, and, in addition, some employees may be required to complete and/or attend training on information security specific to their role(s) in the organization- as recommended and/or directed by the Chief Information Officer, the employee’s supervisor, or designee(s).

Users should report misuse of OCC Information Technology or violations of this Policy to their  management, to IT Support Center, or to the CIO.

Confidentiality & Security of Data

Guidelines for Confidential Data and Controlled Data 
Access to Confidential Data
Access to Confidential data is given to authorized users who have a business need to know. 

Electronic access must be protected by a strong password and users shall, log out, lock, or secure documents and computers prior to leaving their work area. Departments should promptly notify Information Technology Department of personnel changes. 

Users shall access College Data only to conduct OCC business and only as permitted by applicable confidentiality and privacy laws. Users must not attempt to access data on systems they are not expressly authorized to access.

Users shall not disclose Confidential Data or Limit Access Data except as permitted or required by law and only as part of their official duties on behalf of OCC. Users may not use security-testing tools (e.g. password crackers, vulnerability scanners and/or exploitation code) from and/or against OCC Information Technology unless required for performance of official duties on behalf of OCC and approved by IT.

IT may temporarily limit or disable network connectivity for devices that pose a significant threat or disruption to OCC Information Technology or College Data.

OCC Information Technology may be observed by IT personnel responding to an investigation or incident, at the direction of OCC's Chancellor, OCC Human Resources, OCC Counsel, and/or law enforcement.

Electronic Distribution of Confidential Data
Confidential data must be encrypted during transmission over unsecured networks. Electronic distribution of confidential data must be encrypted if sent to approve recipients with the College email system, supported by the College. Email must be encrypted or password protected to approve recipients outside of College premises. Transmission of data must be via a secure method, such as secure file transfer protocol (SFTP). Third party agreements with outside vendors must require encryption or password protection. Instant messages, Google Docs, Dropbox, SkyDrive and similar Cloud services are not to be used for electronic transmission of confidential data. 

Electronic Distribution of Controlled Data
There are no restrictions to approved recipients within the College via the email system supported by the College for limited information. If this information is sent to approve recipients outside of the College email system it must be encrypted, password protected, sent via private link, or faxed. Instant messages, Google Docs, Dropbox, SkyDrive and similar Cloud services are not to be used for electronic transmission of this data 

Storage of Confidential Data and Controlled Data
Information on paper must be stored in a locked drawer or other locked and secure location. It may not be downloaded or stored on laptops, flash drives or external removal media. The data may be downloaded on desktop personal computers temporarily for manipulation or processing. Backup files of confidential data must be encrypted. 

Individual access controls shall be implemented at the network folder or directory level for Controlled electronic data. Google Docs, Dropbox, SkyDrive and similar Cloud services are not to be used for electronic transmission of this data.

Confidential Data or other information essential to the mission of OCC should be stored on an OCC managed network server when possible, rather than on an OCC-owned desktop workstation, laptop, or portable device.

Users are encouraged to store any College Data on OCC Information Systems, rather than personally owned equipment.

In cases when a User must create or store Confidential Data on a local hard drive or a portable device such as a laptop computer, tablet computer, or smart phone, the User must ensure the data is encrypted in accordance with OCC and any other applicable requirements.

Users may not store College Data with a third party storage service (often referred to as "cloud" storage) unless the service has been approved by IT. Because some computing devices are configured to automatically connect to potentially, insecure remote storage services, Users are encouraged to confirm current settings on any computing devices used to access College Data and disable features they do not intend to use. (IE. Personal: google docs/photos, iCloud, Dropbox, etc.)

Guidelines for Public Data
There are no restrictions for access to public information. 

Distribution of Public Data within the College
There are no restrictions to public information distributed within the College.

Distribution of Public Data outside of the College
There are no restrictions to public information distributed outside of the College.

Electronic distribution of Public Data
There are no restrictions to electronic distribution of public information. 

Storage of Public Data
There are no restrictions to storage of public information.

Incidental Use of OCC Information Technology
Incidental Use of OCC Information Technology must not interfere with User's performance of official  OCC business, pose an unreasonable burden on system resources, result in direct costs to OCC, expose OCC to unreasonable risks, or violate applicable laws or other OCC Policy.

Users are encouraged to use personally owned Technology, rather than OCC Information Technology, for conducting personal computing and must understand that personally owned content stored on OCC Information Technology may be visible to OCC personnel whose job responsibilities involve the management and monitoring of OCC Information Technology.

A User's Incidental Use of OCC Information Technology does not extend to the User's family members or others regardless of physical location.

Incidental Use may include communications such as e-mails, web pages, and social media posts; if such communications could be reasonably interpreted as expressing the opinion or position of OCC, they should be accompanied by a disclaimer (e.g. "The opinions expressed are my own, and not necessarily those of  my employer, Oakland Community College"). Incidental Use to conduct or promote the User's outside employment, including self-employment, is prohibited. 

Incidental Use for purposes of political lobbying or campaigning is prohibited.

Accessing, creating, storing, or transmitting sexually explicit materials during Incidental Use is prohibited. Questions regarding whether particular content is "sexually explicit material" should be directed to OCC Vice Chancellor of the affected Academic/Business area.

Email
Emails sent or received by Employees/Contractors in the course of conducting OCC business are College Data that are subject to state records retention and security requirements. Emails sent or received by Students from student.oaklandcc.edu domain are not subject to state records retention but are OCC managed accounts and there should be no expectation of privacy.

Employees/Contractors are expected to use OCC-provided email accounts for conducting OCC business, rather than personal email accounts; Employees/Contractors are encouraged to use personal email accounts for conducting personal communication and business, rather than OCC- provided email 
accounts.

Emails containing Confidential Data must be encrypted with tools and processes approved by IT in order 
to reduce risk of interception.

The following email activities are prohibited when using an OCC-provided email account:

  1. Sending an email under another individual's name or email address, except when authorized to do so by the intended User of the email account for a work-related purpose.
  2. Accessing the content of another User's email account except: 1) as part of an authorized investigation; 2) as part of an approved monitoring process; or 3) for other purposes specifically associated with the User's official duties on behalf of OCC.
  3. Maliciously sending or forwarding any email that is suspected by the User to contain computer malware. Forwarding to a malware researcher or the ISO for analysis does not represent malicious intent.
  4. Any Incidental Use prohibited by this Policy.
  5. Any use prohibited by applicable OCC policies and procedures. 

Portable and Remote Computing
All electronic devices including personally owned computing devices used to access, create or store Confidential Data or Controlled Data must be protected by mechanisms (e.g. passwords or biometrics) that limit access to authorized Users, in accordance with OCC Information Security Procedures. Any computing device on which Confidential Data is stored or created must be encrypted in a manner which protects the Confidential Data from unauthorized access.

College Data created and/or stored on personal computers, other computing devices and/or non-OCC Information Technology should be transferred to OCC Information Technology as soon as feasible for example, your network H:\ drive. 

All remote access to Confidential Data and Controlled Data must be accomplished using an encrypted method approved by IT (client VPN on OCC issued equipment, point to point VPN with partner vendors, SSH, Remote Desktop Gateway, and VMWare Horizon client on personal or OCC equipment).

Portable computers, smart phones, and other computing devices are targets for theft. Because of this, Users are expected to take reasonable precautions to physically secure OCC Information Technology or personally owned computing devices containing College Data. This is especially important when theft is likely (e.g. place inside vehicle trunk when traveling; do not leave unattended at a coffee shop or food court; and/or lock in hotel safe when provided).

Access Control
Each individual provided with a system account shall maintain securely and never disclose his/her account password or credentials or knowingly permit another individual to access OCC Information Systems via his/her account, except in accordance with a lawful investigation. Any individual who knowingly accesses OCC Information Systems with a user account not specifically assigned to him/her is in violation of this Policy. Similarly, Users may not share individually-assigned access control devices (e.g. Door Cards/Badge, hardware tokens, and/or door keys) unless necessary to preserve life safety.

Computing accounts will be assigned to individuals, except when a shared account is justified by the functions being performed. Accounts designed specifically for a shared purpose or specific system task, such as facilitating data backups or scheduled batch processing, will be granted only in cases when absolutely necessary and will be shared with as few individuals necessary to effectively perform OCC operations. Computing accounts providing access to OCC Information Systems will only be created when necessary to achieve OCC objectives. Access privileges will be assigned to provide the minimum necessary permission to perform job responsibilities.

OCC Information Systems are subject to risk-based authentication configuration settings defined in Information Security Procedures (e.g. password length, complexity, and 2-factor authentication). Account credentials should not be hard coded into scripts, software code, or system configurations. When hard coding credentials is deemed necessary, system owners will store these files in a secure manner and will maintain sufficient documentation to allow periodic manual changes to passwords or other credentials.

When employment relationships are subject to change or termination, responsible management will participate in checkout processes defined by Human Resources to ensure timely disabling of system access.

In order to limit the possibility of malicious access, IT may disable computing accounts based on reasonable indication that the account has been disclosed to, or compromised by, a malicious third party. IT shall assist in re-establishing control of the account by the intended User.

OCC Information Systems access should be designed to maintain separation of duties to reduce the risk of a malicious individual performing conflicting activities (e.g. requesting system access while also approving one's own system access). Compensating controls such as log monitoring and system enforced thresholds may also be implemented when conflicting duties cannot be separated.

Computer Systems Security
All OCC Information Systems, including production and non-production systems, must be configured and operated in accordance with Information Security Procedures.

All OCC Information Systems should be updated with the latest compatible software patches. This includes patches for the operating system and third-party applications. High-priority patches may need to be installed outside of routine change control procedures at the request of IT Management in order to address critical security vulnerabilities.

IT may participate at key steps of projects involving access to Confidential Data or Controlled Data. IT should assess security controls and notify stakeholders of risks prior to introducing new solutions into production. Costs of security testing, if applicable, will be considered part of the project budget.

All software used at OCC, including commercial and open source, must be used in compliance with End User License Agreements (EULAs). Software requiring fees for usage may not be used in a manner intended to avoid paying such fees.

Harmful or unlicensed software should be removed from OCC Information Systems at the direction of IT. All desktop and Laptop computers located in unsecured areas (e.g., classrooms, labs, and hallways) will be equipped with lockdown hardware to prevent the theft of the equipment for OCC facilities.

Backup & Recovery
OCC Information Systems are subject to backup procedures and methods to ensure continuity of operations. Data backups must be performed according to a schedule consistent with data retention and destruction requirements appropriate for the data type and classification. Backups must be periodically tested to ensure functionality.

When backup media is retired, it must be destroyed according to Information Security Procedures.

Data Destruction
Data must be stored and retained according to the OCC Records Retention Schedule. To prevent access to Confidential Data by unauthorized parties, storage media must be destroyed according to Information Security Procedures.

Storage media (e.g. hard drives, flash memory, magnetic data tapes, and floppy disks) must be securely overwritten before reuse and physically destroyed at the end of the useful life of the device. Paper and CD/DVD optical media must be securely shredded in a manner sufficient to prevent reassembly.

OCC-issued mobile computing devices are subject to electronic erase or factory reset procedures before the device is issued to another User or retired from service.

Vendors who host data remotely must provide OCC with a certificate of data destruction upon termination of the contract.

Physical Security
Locations that support access to OCC Information Systems must be protected in accordance with value of the information assets at risk. High-risk locations include, but are not limited to, data centers, server closets, wiring closets, file rooms, and labs.

Users are encouraged to wear OCC identification in restricted access areas

Users who work in restricted access areas should remain aware of unidentified individuals who may attempt to gain access.

Locked doors protecting restricted access areas should not be propped open if unattended.

Users will maintain a workspace where Confidential Data or Controlled Data is stored in a manner to mitigate risk of observation or theft by unauthorized parties (e.g. locked offices, locked file cabinets, and/or privacy screens).

Third-Party Vendors
All third-party vendors that host or access College Data are subject to assessment by IT. Contracts with third parties will include expectations for information security. Third parties will be expected to protect OCC Information Systems and College Data with security equal to or better than levels defined in this Policy and applicable Information Security Procedures. All third parties performing tasks or data processing for OCC are required to notify OCC immediately if a security incident has occurred, or is suspected to have occurred.

Business Continuity Planning
Individuals responsible for critical operations must maintain a business continuity plan which accounts for facilities, equipment, staffing, and OCC Information System’s needs.

Exemptions
Compliance with all elements of this Policy may not be possible in some situations given the tradeoffs between risk, cost, and operational impact. Users may request exemptions to elements of this Policy; requests will be subject to approval or denial by the CIO within 30 days of the request when possible. When applicable, DOs will be asked to accept risks associated with non-compliance. Exemption requests should include an explanation of why compliance with specific Policy elements is not feasible and should describe compensating controls that are in place to reduce risk. Approved exemptions will include an expiration date and be tracked by IT.

Exemption requests not approved by the CIO may be appealed to OCC's Chancellor.

Disciplinary Actions
Instances of noncompliance, or attempted noncompliance, may constitute a security violation that is subject to investigation and possible disciplinary action, civil prosecution, and/or criminal prosecution in accordance with applicable policies and laws.

Violations may result in disciplinary action by Human Resources in accordance with pertinent policies, up to and including termination of work relationships. Students involved in violations will be referred to the Dean of Student Services. Suspected illegal activities will be escalated to OCC Public Safety and
appropriate law enforcement agencies.

This Policy does not create or supersede any existing OCC processes for taking disciplinary action.IT, which shall not take direct disciplinary action against a User, however IT may participate in existing OCC processes for taking disciplinary action.

Server and application administrators may be called upon to provide information to support a disciplinary investigation or similar purpose. Accessing emails, log files, or other data for investigative purposes (not to be confused with routine operations, troubleshooting, and system management) without proper authorization particularly in retaliation for whistleblower complaints – is an actionable abuse of privilege.

Data Breach
A data breach is any instance in which there is an unauthorized release or access of PII or other information not suitable for public release. This definition applies regardless of whether an organization stores and manages its data directly or through a contractor, such as a cloud service provider. Data
breaches can take many forms including:

  • hackers gaining access to data through a malicious attack (virus, phishing, etc.);
  • lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.);
  • employee negligence (e.g., opening malicious email, leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and
  • policy and/or system failure (e.g., a policy that doesn’t require multiple overlapping security measures—if backup security measures are absent, failure of a single protective system can leave data vulnerable).

In the event of a data breach or suspected breach of data, Details should be reported to the IT Support Center immediately for evaluation and mitigation.

Confidentiality
Anyone involved with the discovery of, or the response to an IT security incident (breach, etc.), should handle event details with the greatest level of confidentiality. Information should only be shared on a ‘need to know’ basis and only with those who are involved with the response to the incident. In the
event of an IT security incident, uncontrolled release of details about the nature of the event and/or the information compromised in the incident can cause three negative outcomes:

  1. The perpetrator(s) may gain additional information about their victim (OCC), or be “tipped off” about the investigation, which may reduce our chances of apprehending the perpetrator.
  2. Confidential data, whether student records, personal information, or internally sensitive material, can be leaked inadvertently;
  3. Erroneous media exposure about OCC or its employees may result.

Acceptable Use
By acknowledging this Information Security and Acceptable Use Policy, users are acknowledging Policies for Acceptable Use.

User Acknowledgement
Users must acknowledge that they received access and read the Information Security and Acceptable Use Policy. They must understand and agree that use of OCC Information Technology is conditional upon agreement to comply; noncompliance may result in disciplinary action as outlined above.

Definitions (alphabetical order)
Confidential Data: The subset of College Data that is private or confidential by law or otherwise exempt from public disclosure (e.g. Social Security Numbers, personally identifiable Medical and Medical Payment information; Driver's License Numbers and other government-issued identification numbers; Education Records subject to the Family Educational Rights & Privacy Act (FERPA); financial account numbers, and/or other College Data about an individual likely to expose the individual to identity theft).

Controlled Data: The subset of College Data that is not created for or made available for public consumption but that is subject to release under the Public Information laws (e.g. network diagrams, OCC emails, and/or OCC-ID number).

College Data: This Policy uses the term College Data to refer to data for which OCC has a responsibility for ensuring appropriate information security or would be liable for data exposure, as defined by applicable law, OCC policy, regulations, or contractual agreements. College Data may include information held on behalf of OCC or created as a result and/or in support of OCC business (e.g. financial records, personnel records, officially maintained student records, and/or records of official OCC committees), including paper records. This definition does not imply, address, or change intellectual property ownership.

Incidental Use: Occasional personal use of OCC Information Technology. Activities related to official duties on behalf of OCC, such as research and teaching, are not Incidental Use.

Information Security Procedures: Documented controls specified for specific technology components which, when implemented, reduce risk of compromise (e.g. change default passwords, disable unnecessary services, apply current compatible patches, include in backup scheme).

IT: The Information Technology department is led by the Vice Chancellor of Information Technologies/Chief Information Officer, and is assigned responsibility for planning and ongoing operation of college owned information technology such as telecommunications networks, computers, software, databases, system integration and hosted solutions.

Mobile computing device: Laptops, tablets, smart phones, or other devices designed to be easily portable that are capable of creating, storing, or processing College Data.

OCC: Oakland Community College

OCC Information Technology: All computer and telecommunications equipment, software, data, and media, owned or controlled by OCC or maintained on its behalf.

Public Data: The subset of College Data intended for public consumption (e.g. marketing materials, press releases, public websites, published papers, and/or OCC-issued email address). 

User: Any individual granted access to OCC Information Technology, including guests and contractors.

Related Links

Change Log

  • 07-01-2018  Effective date

OCC Logo