Policies and Procedures

Policy

Appropriate Use of Information Technology Resources

Effective
December 13, 2007
Category(ies)
Finance and Administration
Approval(s)
President and Vice Presidents: November 29, 2005 Signature (pdf)
President and Vice Presidents: November 13, 2007 Signature (pdf)
Steward(s)
Director of Computing and Communication
Revision(s)
November 14, 2007

Purpose

Evergreen’s information technology (IT) systems are a continually growing and changing resource that supports thousands of users. These resources are vital to the work of the entire Evergreen community, and to the full breadth of activities that contribute to the fulfillment of the college’s mission.

This appropriate use policy balances campus community needs for flexibility and exploration with Evergreen’s need for secure and reliable IT systems. In order to ensure a reasonable and dependable level of service, it is essential that each member of the campus community exercise responsible, ethical behavior when using these resources. Misuse by even a few individuals has the potential to disrupt the legitimate academic work of faculty and students, or the business of the college.

This policy is intended to supplement, not replace, existing laws, regulations, policies and contracts that currently apply to these resources (see Illustrative Laws and Policies section).

Scope

This policy applies to all IT system users (see Access/Eligibility below). It covers:

  • any and all college owned or managed computer systems (including but not limited to email, web pages, administrative applications, academic applications, personal computers, mini- and mainframe computers, file storage, and all forms of software);
  • computer-related equipment (including but not limited to personal digital assistants, wireless devices, facsimile machines, scanners, printers, telephones, video and other multimedia devices, and associated peripherals);
  • interconnecting networks;
  • any information stored on any of these systems;
  • any personally owned equipment on campus that is connected to the college network or equipment connected through Evergreen’s modem pools.

Access/Eligibility

  • Information technology resources are provided by Evergreen for use by its Students, Faculty, Staff, and Guests. In addition, Evergreen’s library provides access to its resources for the general public.

Roles and Responsibilities

Users of Evergreen information technology resources have a responsibility to protect these resources, and to respect the rights of others. They are responsible for familiarizing themselves with state and federal laws that pertain to information technology, as well as the contents of this, and related, college policies (see Illustrative Laws and Policies section). Users of college information technology resources should:

  • use resources within the boundaries of college policies and federal, state, and local laws, and rules by adhering to ethical restrictions on use of college property and data ;
  • use resources in a manner that does not diminish the reliability or availability of those systems or resources for other users;
  • protect their passwords, and prevent unauthorized access to or from their computers and system accounts;
  • demonstrate a respect for other user’s intellectual property, rights to privacy, or rights to freedom from intimidation, discrimination, and harassment;
  • protect college data, and ensure that confidential information isn’t stored or displayed in unsafe places;
  • comply with security restrictions on all systems.

Unauthorized use of information technology resources is prohibited. Each individual bears the primary responsibility for the material s/he chooses to access, store, send or display. In the case of an activity which isn’t specifically cited as either allowed or prohibited in any college policy or state or federal law, users should err on the side of caution: if a use bears a cost to the state, interferes with use of systems by others, or violates the rights of another person, it shall be considered unauthorized.

The college has a responsibility to:

  • practice good stewardship of state resources;
  • treat information about, and information stored by, the system’s users in a manner that respects both user privacy and the value of the information;
  • take precautions to protect college information systems and the information contained therein from malicious or unauthorized use;
  • faithfully execute all hardware and software licensing agreements applicable to college systems;
  • take precautions against theft or damage to system components; and
  • respond to lawful requests for disclosure of information.

Privacy and Public Records

Evergreen respects the principles of academic freedom, freedom of speech, and the right of privacy. The use of information technology systems holds special implications for these principles.

Information system accounts may provide access to sensitive, restricted or confidential data. Users of college information systems will maintain the confidentiality of any and all data retrieved from TESC information systems. Disclosure of the information to unauthorized persons could subject the user to criminal and civil penalties imposed by the law or disciplinary action imposed by the college.

Data must be stored within a “secure storage device” as designated by Computing and Communications if the unauthorized discloser of the data would subject the organization to a negative operational impact; constitute a violation of federal or state law; or result in harm to the individual or carry significant financial liability. Portable data storage devices (e.g., tape drives, zip drives, removable hard drives, USB data storage devices, etc.) are not designated as secure. Questions regarding secure storage of data should be directed to the Computing and Communications Helpdesk.

The Family Education Rights and Privacy Act of 1974 govern disclosure of records, documents or other facts containing personally identifiable information about students. Requests for information about students, or requests for lists of individual students, are to be forwarded to the college official responsible for maintaining the information, and questions concerning the release of information should be referred to the Associate Vice President of Enrollment Services or the Registrar.

Other record and documents regarding employees, research data, preliminary drafts, notes and recommendations, as well as requests for lists of individuals which may be used for commercial purposes, may be exempt from, or not subject to, public disclosure. College rules contain additional types of records exempt from disclosure. Disclosure of public records shall be in accordance with Evergreen’s policy in WAC 174-276. Requests for non-student records will be forwarded to Evergreen’s Internal Auditor.

IT staff shall not routinely inspect nor monitor use of computers. Nor shall they routinely change nor delete files or email from accounts on college-managed systems unless they are invited to do so by the owner of the account. However, therecan be no guarantee of security and privacy of your email and electronic files, and the college specifically reserves the right to review, audit, and inspect email and electronic files as state law requires.

In general, an account will only be inspected by the college when:

  • activity from an account or network address impedes access to computing or networking resources by others;
  • an employee has failed to, or is unable to, respond to a lawful public records request;
  • general usage patterns indicate that an account or computer is being used in an inappropriate activity;
  • there are credible reports of violations of policy or law taking place;
  • it appears necessary to do so to protect the college from liability;
  • it is required by and consistent with law (e.g. Evergreen’s Patriot Act Policy).

All new employees of the college are to participate in Security Awareness Training as a part of mandatory orientation training. Continuing employees will annually participate in Security Awareness Training made available by Evergreen.

What Can Be Attached to the Network and How

In order to maintain the security and reliability of Evergreen’s campus network, users are required to abide by the following rules when connecting devices to Evergreen campus networks:

  • all computers must have current anti-virus software installed prior to connecting to the campus network;
  • users shall not establish network or dial up connections that bypass Evergreen’s firewall;
  • connection of and/or use of Virtual Private Networks (VPNs) devices or software must be approved in advance by Network Services;
  • installation of Wireless Access Points or ad-hoc wireless networks must be approved in advance by Network Services (Wireless Access Points in Housing must be approved by the Housing Technology Manager) .

Prohibitions

In light of all the policies outlined above in this document, the following are examples of specifically prohibited activities:

  • sharing of account/usernames or passwords;
  • attempting to test security flaws without Network Service authorization;
  • probing or connecting to any computers without legitimate reason to do so;
  • using Evergreen systems or networks as a staging ground to crack other systems or networks;
  • installing invasive software, such as worms or viruses on any Evergreen system over any network;
  • altering any data, software, or directories other than your own without proper authorization;
  • attempting to gain access to a system, account or password that you are not previously authorized to access;
  • using system resources for:
  • unethical purposes, including private outside business or political purposes unless authorized under the Ethics in Public Service Act or rules of the Executive Ethics Board;
  • committing acts of academic dishonesty (see Student Code of Conduct);
  • installing software on state-owned equipment which is not directly tied to the academic or administrative work of the college;
  • installing personal software, games, music, screensavers or other electronic materials which may interfere with the stability or reliability of college owned systems;
  • violating copyright laws (including software, images, music, movies, or text);
  • sexual harassment or harassment based on race, color, gender, religion, creed, age, marital status, national origin, sexual orientation, disability, or veteran status.

Consequences

Violations of this policy will be investigated by the college and may result in revocation of access to information technology resources and/or disciplinary or legal action. Violators are subject to any and all of the following:

  • loss of information technology resources access;
  • college disciplinary action (as prescribed in the Student Conduct Code, Union Contract, Faculty Handbook, Human Resource Policies/Procedures, or at the discretion of immediate supervisor for exempt staff);
  • civil proceedings;
  • criminal proceedings.

Policies and Laws Applicable to Information Technology Systems

UNITED STATES CODE

REVISED CODE OF WASHINGTON (RCW)

WASHINGTON ADMINISTRATIVE CODE (WAC)

EVERGREEN POLICIES AND MANUALS

OTHER