Feb 05, 2023  
2021-2022 Student Handbook 
    
2021-2022 Student Handbook

Information Technology Resources and Acceptable Use Policies



This policy outlines Howard College Information Technology Resources as well as the Acceptable Use Policy, to comply with state and federal requirements including, but not limited to, TAC 202 and FERPA requirements.

Security Violations and Sanctions

Howard College Information Technology resources are valuable assets strategically provided to further the instructional, research, public service, and administrative functions of the college.  Individuals using Information Technology owned or managed by the college are expected to know and comply with all college policies, procedures, as well as local, state and federal laws.  Individuals are responsible for the security of any computer account issued to them and will be held accountable for any activity that takes place in their account.

Detecting and Reporting

Users of Howard College Information Technology resources are expected to report any known or observed attempted security violation.  Additionally, they must not conceal or help to conceal violations by any party.   Any actual or suspected security violation should be reported immediately to the Dean of Information Technology Services, a Cabinet member or the President of Howard College.

Disciplinary Actions

Violation of this policy may result in disciplinary action, which may include termination for employees, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.  Additionally, individuals are subject to loss of Howard College Information Technology resources, access privileges, civil, and criminal prosecution, as well as legal action under state and federal laws, and legal action by the owners and licensors of proprietary software for violation of copyright laws and license agreements.

Responsibilities

  1. The president of the college shall appoint an Information Security Officer (ISO) who shall report to executive management of the college.The ISO is the Dean of Information Technology Services.
  2. The Information Security Office shall ensure that ongoing information security trainings are held and compliance assessments are completed.
  3. The Information Security Officer, in cooperation with information owners and custodians, shall develop and recommend policies, procedures, and practices necessary to ensure the security of information resources against unauthorized or accidental modification, destruction, or disclosure as maintained in the Howard College Internal Control Plan Procedures.
  4. The Information Security Officer shall ensure that an independent, third party, biennial review of the information security program is performed, including but not limited to the Internal Control Plan Procedures.
  5. Where appropriate and possible a logon banner/warning should be presented when a user logs on to a system.

Data Classification and Risk Assessment

  1. All data owners or designated custodians shall be responsible for classifying data processed by systems under their purview based on data sensitivity so that the appropriate security controls can be applied and the information resource can be appropriately managed. 
  2. The Howard College Internal Control Plan will be used to classify data types and their need for confidentiality, integrity, and availability.

Physical and Environmental Security Policy

  1. All physical security and environmental control systems must comply with all applicable regulations such as, but not limited to, building codes and fire prevention codes.
  2. All information resource facilities must be protected against loss from both physical and environmental threats in proportion to the category of data or systems housed within the facility.
  3. Requests for access must be approved by the department head and authorized by the ISO.
  4. Access codes, and/or keys must be changed on a periodic basis based on the criticality or importance of the facility.
  5. Access codes, and/or keys must not be shared, reallocated, or loaned to others.
  6. Keys that are no longer required must be returned to HR Department.
  7. Lost, stolen, or compromised access codes, and/or keys must be reported to ISO.
  8. The code and/or key access rights of individuals that change roles within the college or are separated from their relationship with the college shall be removed.

Backup and Business Continuity

  1. The ISO is responsible for developing and maintaining a Disaster Recovery Plan designed to address the operational restoration of the college’s critical computer processing capability.
  2. The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
  3. All vendor(s) providing offsite backup storage, if any, for the college must be cleared to handle the highest level of information stored.
  4. Physical access controls implemented at offsite backup storage locations, if any, must meet or exceed the physical access controls of the source systems.Additionally, backup media must be protected in accordance with the college’s highest sensitivity level of information stored.
  5. The backup and recovery process for each system must be documented and periodically reviewed by the ISO or designee.
  6. Backups must be periodically tested by the ISO or designee to ensure that they are recoverable.

Portable Computing and Encryption

  1. Only portable computing devices approved by the Information Technology Department may be used to access college information resources.
  2. College owned portable computing devices must be password protected.
  3. Unattended portable computing devices must be physically secure.  This means they must be locked in an office, locked in a desk drawer or filing cabinet, or locked in a secure, out-of-sight area of a vehicle.

Acceptable Use

  1. Howard College and the Information Technology Department are finite by nature.All users must recognize that certain uses of college owned information technology resources may be limited or regulated as required to fulfill the college’s primary teaching, research and public service missions.
  2. Users must report any weaknesses in computer security, any incidents of possible misuse or violation of this agreement to the ISO.
  3. Users must not attempt to access any data or programs contained on college systems for which they do not have authorization or explicit consent to do so.
  4. Users must not share their college account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e.Smartcard), or similar information or devices used for identification and authorization purposes.
  5. Users are responsible for all actions that take place with their account.
  6. Users must distinguish between ideas, comments, and opinions of the individual user versus those that represent the official positions, programs, and activities of the college.
  7. The college is not responsible for the content of documents, exchanges or messages, including links to other information locations on the internet or world wide web, that reflect only the personal ideas, comments and opinions of individual members of the college community, even where they are published or otherwise circulated to the public at large by means of college information technology resources.
  8. Students, faculty and staff using information technology resources for purposes of exchanging, publishing or circulating official institutional documents must follow Howard College requirements concerning appropriate content, style and use of logos, seals, or other official insignia.
  9. Users of Information Technology resources must not use any software not provided by the college without Information Technology Department approval.
  10. Users must not purposely engage in activity that may interference with or disrupt computer systems and networks and related services, by means including, but not limited to, the propagation of computer “worms”, “viruses” and “Trojan Horses”. Users may not harass, threaten or abuse others; degrade the performance of college information technology resources, deprive an authorized Howard College user access to a college resource, obtain extra resources beyond those allocated, or circumvent any computer security measures.
  11. Users must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of a system.For example, users must not run password cracking programs, packet sniffers, or port scanners or any other non-approved programs on college information technology resources.
  12. Use of the College’s information technology resources is strictly prohibited for unauthorized commercial activities, fraud, personal gain, and private, or otherwise unrelated to the College business or fundraising. This includes soliciting, promoting, selling, marketing or advertising products or services, reselling College resources, or political lobbying or campaigning.
  13. Users must not intentionally create, access, store, view or transmit material which the college may deem to be offensive, indecent or obscene (other than in the course of academic research where this aspect of the research has the explicit approval of the college’s official processes for dealing with academic ethical issues).
  14. Illegal material may not be used to perform any legitimate job or academic function and therefore may not be created, accessed, stored, viewed, or transmitted on college information technology resources.
  15. A Howard College owned, home based, computer must adhere to all the same policies that apply to use from within Howard College - facilities.Employees must not allow family members or other non-employees access to college computer systems.
  16. Users must not otherwise engage in acts against the aims and purposes of Howard College - as specified in its governing documents or in rules, regulations and procedures adopted from time to time.
  17. All user activity on Information Technology resources assets is subject to logging, monitoring, and review.
  18. Privately owned information resources are subject to the Acceptable Use Policy when used or operated on campus.
  19. As a convenience to the Howard College, user community, some incidental use of Information Technology resources is permitted.The following restrictions apply:
  • Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, telephones, and so on, is restricted to college approved users; it does not extend to family members or other acquaintances.
  • Incidental use must not result in direct costs to the college.
  • Incidental use must not interfere with the normal performance of an employee’s work duties.
  • No files or documents may be sent or received that may cause legal action against, or embarrassment to, the college.
  • Storage of personal email messages, voice messages, files and documents within the college’s Information Technology Department must be minimal and anything deemed to be excessive can be deleted at the discretion of the ISO.Further, it is the responsibility of the individual to have personal data backed up on a privately owned storage device and the college is responsible for any lost personal media or data.
  • All messages, files and documents – including personal messages, files and documents – located on college Information Technology Department equipment are owned by the college, may be subject to open records requests, and may be accessed in accordance with this policy.

Account Management

  1. All access requests for Information Technology resources shall follow an account creation process that includes appropriate approvals.
  2. Users (Trustees, full-time and part-time employees, official retirees, students and other approved users) must sign the appropriate Howard College - Information Technology Department Security Acknowledgement and Nondisclosure Agreement before access is given.
  3. All accounts must be uniquely identifiable using a centrally assigned user name from the Information Technology Department.
  4. All accounts have a password construction and expiration that complies with the college Password Security Guidelines issued by the ISO.
  5. Accounts of individuals, who have had their status, roles, or affiliations with the college change or who have become separated from the college, shall be updated or revoked to reflect their current status.
  6. Accounts of individuals on extended leave may be disabled at the discretion of the Information Technology Department.
  7. Accounts should be reviewed periodically by system administrators and data owners to ensure their status is correct.
  8. All vendor, consultant, and contractor accounts shall follow this policy.

Administrator/Special Access

  1. All users of system administrator or other special access accounts must be authorized by the ISO, appropriate administrators and data owners.
  2. Users must sign the appropriate Howard College - Information Technology Department Security Acknowledgement and Nondisclosure Agreement before access is given to an administrator or other special access account.
  3. The password for a shared administrator/special access account must change when an individual with the password leaves the department or college, or upon a change in the third-party vendor personnel assigned to a college contract.
  4. When special access accounts are needed for internal or external Audit, software development, software installation, or other defined need, they must be:
  • authorized by the system or data owner
  • created with a specific expiration date
  • removed when work is complete

Change Management Policy

  1. Significant changes to any of the college’s critical information resources, such as:  operating systems, computing hardware, networks, and applications is subject to the discretion of the college administration with guidance and leadership provided by the Dean of Information Technology.
  2. Minor changes will be made by the Information Technology Department under the leadership of the Dean of Information Technology.

Network Access

  1. Use of the college network constitutes acknowledgement of, and agreement to abide by all policies set forth in the Acceptable Use Policy.
  2. Users are permitted to use only those network addresses issued to them by the Information Technology Department.
  3. All remote access to the college internal network must be authorized by Information Technology Department.
  4. Users must not extend or re-transmit network services in any way.
  5. Users must not install or alter network hardware or software in any way.
  6. Network devices that pose an immediate threat to network operations, performance, or other network-connected devices must be disconnected or quarantined to minimize risk until the threat is removed.

Network Management and Configuration

  1. The Information Technology Department owns and is solely responsible for the management or administration of the college data and telephony network infrastructure including, but not limited to, the following:
  • Installation, configuration and operation of all switches, routers, wireless devices, and firewalls
  • Installation, configuration and operation of active network management devices
  • Establishment and management of all protocols used on the college network
  • Network address allocation and distribution
  • All connections to external third party data and telephony networks
  • All communications cabling installation or modification
  • Extension or re-transmission of network services in any way
  • Configuration and broadcast of all wireless signals providing access to the college network
  • Installation and configuration of all telephony devices
  • Creation and maintenance of all college network infrastructure standards and guidelines
  • Creation and maintenance of a directory of network devices
  1. Any device connected to the college network is subject to Information Technology Services Department management and monitoring standards.

Information Technology Department Privacy Policy

  1. Electronic files and data created, sent, received, stored, or transmitted across computers or other information technology resources owned, leased, administered, or otherwise under the custody and control of the college are not private unless expressly stated in federal or state law and may be accessed at any time by the college administration, following a defined approval process, without knowledge of the information resource user or owner. Applicable open records requests shall follow the college standard formal request process.
  2. The college may log, review, capture, and otherwise utilize information stored on or passing through its information technology resources as needed for the purpose of system administration and maintenance,forresolutionoftechnicalproblems,forcompliancewithTexasPublic Information Act, for compliance with federal or state subpoenas, court orders, or other written authorities, allow institutional officials to fulfill their responsibilities when acting in their assigned capacity, and to perform audits.No notification is required to view this information; however, users with privileged access are expected to maintain the privacy of the individual.
  3. Identifying information shall be removed before sharing collected information to prevent loss of individual privacy where possible.
  4. Employees, contractors, vendors, and affiliates of the college shall safeguard the privacy and security of any information owned by or entrusted to the college.
  5. Disclosure of personally identifiable information to unauthorized persons or entities is expressly forbidden.
  6. Access to personally identifiable information shall be granted through an appropriate approval process and be revalidated on a regular basis.
  7. Paper and electronic documents containing personally identifiable information shall be secured during use and when not in use.
  8. Electronic documents containing personally identifiable information shall only be stored on authorized systems.

Software Licensing

  1. Copies of software licensed by the college shall not be made without verifying that a copy is permitted via the license agreement.
  2. Software used on college-owned systems shall be properly licensed for their method of use (concurrent licensing, site licensing, or per system licensing).
  3. The college has the right to remove inappropriately licensed software from college computers if the user is not able to show proof of license.
  4. Software license management shall be monitored by the Information Technology Services Department.

Computer Related Purchasing and Support

  1. The Information Technology Services Department must approve all information technology related software and hardware purchases regardless of source of funds, including any device capable of storing, transmitting or processing electronic college owned data.
  2. The Information Technology Department will assist the Purchasing Department with all quotes for bids and prices.
  3. Each division, department, and office must consult with the Information Technology Department when preparing its annual budget for guidance in developing its requests for funds for hardware and software acquisitions.

Data Disposal and Destruction

  1. Prior to the sale, transfer, or other disposal of information technology resources, the Information Technology Department will assess whether to remove data from any associated storage device.
  2. Electronic state records shall be destroyed in accordance with state and federal guidelines.
  3. The college shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information:
  • date
  • description of the item(s) and serial number(s)
  • inventory number(s)

Peer-to-Peer

  1. Users of state computers or networks shall not download/install or use any P2P software on state computers, networks, or mobile computing device (PDA) without specific authorization in writing from the Information Technology Department.
  2. Any permitted use of P2P software is subject to all information resource policies including the Acceptable Use Policy.