- Information Technology Services is responsible for all College-owned and/or operated computer resources provided for use by students, faculty, contractors and staff of Chattanooga State Community College (ChSCC) and TCAT. This document constitutes the policy for the management of all information technology resources, whether managed/supported by Information Technology Services (ITS) or personal equipment/applications, i.e., mobile devices. For reference, throughout this policy, ChSCC will also include TCAT and all off-site campuses.
- This policy establishes guidelines for college-owned and/or operated computer hardware and software, computer network access and usage, Internet and email usage, telephony, security and privacy of data. This policy also informs all users of the policies set forth by the College, in compliance with the Tennessee Board of Regents (TBR 1:08-00-00 and TBR G-054), the State of Tennessee, and the Federal government.
- This policy applies to all persons, including persons employed (either as full-time, part-time, or temporary employees or as independent contractors) by ChSCC and all students enrolled. Along with resources, etc., owned by ChSCC, this policy also governs all use of information technology systems and resources, even when carried out on a privately owned computer that is not managed and/or maintained by ChSCC. Requirements and procedures may be required for the authorized use of specific College computing labs. Failure to adhere to any of the requirements in this policy can result in the removal from the network, confiscation of even personal hardware/software and possibly disciplinary action.
- Rights & Responsibilities:
- The rights of academic freedom and freedom of expression apply to the use of the ChSCC information technology systems and resources; along with the responsibilities and limitations associated with those rights. The use of information technology systems and resources, like the use of other College-provided resources and activities, is subject to the requirements of legal and ethical behavior. The use of these resources must comply with all ChSCC Information Technology Policies and applicable Federal and State Laws. Such electronically available information may not:
- Contain copyrighted material or software unless the permission of the copyright owner has been obtained.
- Violate College policy prohibiting sexual harassment.
- Be used for commercial purposes.
- Appear to represent ChSCC without appropriate permission, or to represent others.
- Contain scripts or code that could cause a security breach or permit use of resources in opposition to ITS or College policy.
- ChSCC accepts no responsibility for any loss of data or damage to data or services arising directly or indirectly from the use of these facilities or for any consequential loss or damage. The College makes no warranty, express or implied, regarding the information technology systems and resources offered or their fitness for any particular purpose.
- ITS reserves the right to disconnect client machines where illegal or potentially damaging software is found to exist. A client machine may also be disconnected if the client's activity adversely affects the network's performance or is considered a security risk to protected data or the College.
- The distribution and display of obscene materials is prohibited by the laws of the State of Tennessee (see Tenn. Code § 39-17-902). The distribution and display of obscene materials is prohibited by the laws of Tennessee (seeT.C.A.39-17-902). Obscene materials are defined under Tennessee law (see T.C.A.39-17-901(10)) as those materials which:
- The average person applying contemporary community standards would find that the work, taken as a whole, appeals to the prurient interest.
- The average person applying contemporary community standards would find that the work depicts or describes, in a patently offensive way, sexual conduct.
- The work, taken as a whole, lacks serious literary, artistic, political, or scientific value.
- Federal law (18U.S.C.2252) prohibits the distribution across state lines of child pornography.
- For further specific guidelines review TBR G-054 IT Acceptable Use. https://policies.tbr.edu/guidelines/it-acceptable-uses and Tenn. Code § 39-17- 901(10)).
- 4.3.Gambling, including that performed with the aid of the Internet, is prohibited under Tennessee state law (see Tenn. Code Ann. § 39-17-502).
- 4.4.Users shall not engage in unlawful uses of the information technology system resources of College. Unlawful activities are in violation of this guideline and may also subject persons engaging in these activities to civil and/or criminal penalties.
- All College staff, faculty, students, adjuncts and contractor/vendors will abide by the policies set forth by the College in compliance with the Tennessee Board of Regent's policies, and the laws of the state of Tennessee and the Federal government.) If a copyright infringement complaint is received, the individual should notify ChSCC Internal Auditor. The complaint will be logged, if necessary, and sent to TBR General Counsel and TBR area representative for action. The TBR Chief Information Officer or his/her designee will be promptly informed of as appropriate for complaints received. Review the Digital Millennium Copyright Act of 1998, Tennessee Code Annotated §49-7-1(c) and TBR Guideline G-054for specific instructions
- File Sharing Applications
- Peer-to-Peer (P2P), Bit Torrent, File Sharing/Gaming software/applications are not permitted on ChSCC equipment. This is to ensure copyright laws are not violated, to protect the ChSCC network from an overload situation load and to prevent a conduit for viruses. For business needs that require this type of software/applications, please submit an on-line work order to ITS containing the business justification. If you are unsure about whether or not the software/app that you want to use falls into one of these situations, please contact ITS Help Desk.
- World Wide Web Home Pages
- Contact ChSCC Marketing for any requests concerning WWW pages and/or use of ChSCC logos.
- Use of ChSCC information technology resources to post a web page for personal or private for-profit use in prohibited. Illegal and/or obscene content in web pages stored on ChSCC resources is prohibited. Incorporation of copyrighted material, without either permission of the copyright holder or under a lawful exemption, is prohibited.
- Users may not incorporate into web pages or other electronic documents the trademarks or logos of others without express, written permission.
- Use of ChSCC information technology resources to promote or advertise activities or entities which are not related to the College mission is prohibited. For further guidance, review ChSCC policies and TBR G-054 IT Responsible Use.
- In accordance with State of Tennessee and TBR 1:08:00:00 all access to the College's computer systems must be approved. Approvals may require displaying of proper identification or completion of forms when requested. Access to departmental computer systems must be approved by the dean/supervisor or their designated representative(s) and be based on policy of least privilege. Approval requirement may vary depending upon the system. Minimum annual reviews of special Internet Native Banner granted accesses are required. (See ChSCC 08:17 Computer Access, located on the ITS web site. https://itservices.chattanoogastate.edu/.)
- To protect network systems and sensitive data accessed through network systems, only college-owned or college-approved equipment may be attached to the College computer network via hardwire connections. All laptops or mobile devices, whether personal or college-owned, are to connect only through the campus wireless network and not through hardwire connections. All vendor default settings must be checked and removed as necessary, before anything is connected to the network. Information Technology Services/ Network Services need to be notified on any addition to the network, before it is connected to the network. (See ChSCC 08:18 Network Access, located on the ITS web site. https://itservices.chattanoogastate.edu/.)
- Regular full time/temporary faculty and staff, adjuncts and students who are registered for classes and have paid fees for the current semester are considered eligible for computer accounts. Accounts for students are automatically set-up.
- The College recognizes the importance of preserving the privacy of users and data stored in information technology systems and resources. Users must honor this principle by neither seeking to obtain unauthorized access to information technology systems and resources nor continued use of an account after the student enrollment or faculty/staff employment ends.
- Security is everyone's job at ChSCC and users are responsible for maintaining the security of their own information technology systems and resources accounts and passwords. Review of all Security Policies should be done on an annual basis and they are located on ITS Web Page and on TigerWeb. If changes are necessary, the updated Policy will first be reviewed and approved by Senior VP of Technology, then sent to Institutional Research for approval and implementation. If no changes are necessary, the policy will be updated with the date of the annual review without having to go through approval process. The following basic security rules are not meant to be all inclusive of the necessary security vigilance that is required in today's computing environment. Review ChSCC ITS Policy 08:16 Data Security and TBR G-054 IT Acceptable Use for more detailed information.
- In accordance with State requirements, all systems and devices owned and operated by or on behalf of ChSCC must display the approved security logon banner before the user logs in. (See Attachment 1)
- Allowing friends, family, co-workers and/or vendors to use accounts, either locally or through the Internet, is a serious violation of these guidelines. Passwords are the most basic security protection. Information technology passwords must meet the required password guidelines established in the ChSCC 08:13 Password Security Policy.
- All accounts used by vendors for remote maintenance will be handled through the ITS work order system for both enabling and disabling these accounts. Accounts will only be enabled during the time needed and only for what access is needed to perform the work.
- Users will not attempt to circumvent security. No one has the authority to remove ChSCC installed anti-virus or other security related software/hardware. Do not use knowledge of loopholes in computer system security or unauthorized knowledge of a password to damage any computing systems, to obtain extra computing resources, to take resources from another user or to gain access to unauthorized systems, either on or off campus. Users shall respect the privacy of other users, and specifically shall not read, delete, copy or modify another user's data, information, files, email or programs without the other user's permission.
- All institutional data is information that supports the mission and operation of ChSCC. It is a vital asset and is owned by the College. Some institutional data may be distributed across multiple departments within the College, as well as outside entities, while other types of data have to be closely protected due to legal requirements. Institutional data is considered essential, and must comply with legal, regulatory, and administrative requirements. All data required by law to be protected from nondisclosure, unauthorized use, modification, or destruction under FERPA's designation of Personally Identifiable Information (PII), Red Flag or PCI designations shall be protected from unauthorized use, modification or destruction.
- Users of mobile computing platforms, including but not limited to laptops, any handheld devices (including mobile phones and tablets), and portable storage media, shall take every precaution to protect such platforms from theft or loss of data by any means. If a personal device is lost or stolen, ITS is authorized to wipe the device to ensure protection of data. See ChSCC ITS Policy 08:16 Data Security for more detailed information.
- Only when it is absolutely necessary to perform specific job related duties shall computing platforms, mobile or stationary, store FERPA, PII or PCI assets. In all cases, these types of assets must have approval from the asset custodian for access and should be encrypted while stored on mobile and stationary computing platforms/devices, where feasible.
- All users of ChSCC information technology resources are required and responsible to comply with all Payment Card Industry (PCI) and FERPA standards. Users shall employ reasonable and appropriate administrative, technical and physical safeguards to protect the integrity, confidentiality, and security of all personally identifiable information (PII), irrespective of its source or ownership or the medium used to store it. Never leave this type of information lying around while you are out of your office. Lock your office door whenever you leave to ensure data is protected. A "clean desk policy" requiring all confidential data (including FERPA and PCI) to be removed from your desk and stored appropriately before leaving for the day.
- With Banner 'A' numbers and/or Tiger-IDs being used as personal identifiers, computing platforms should not contain social security numbers. If an application requires the use of social security numbers, it must be identified in the risk assessment process and appropriate controls put in place. Losses of institutional assets or other IT resources, no matter the format the data resides in, must be reported immediately in accordance with the College's Information Technology Services Security Incident Response (ITSSIR) policy. For specific guidance for use of SSNs, review TBR G-053 Personally Identifiable Information (PII) policy.
- Data Custodians are responsible for oversight of personally identifiable information in their respective area of institutional operations.
- To ensure that all individuals using ChSCC information technology resources understand their obligations and individual responsibilities under this policy, Information Technology training is provided upon hiring. FERPA training is provided by Student Services, and PCI training will be provided by ITS. Training is to be an on-going process with ITS providing appropriate training on at least an annual basis. The training plan will contain training on specific items as determined by the College.
- Ethical Behavior and Rights:
- The College by its very nature values openness and promotes access to a wide range of information. The use of computers, computer-based networks, and electronic information is essential for research, instruction and administration within the academic community. Users shall at all times endeavor to use ChSCC information technology resources in an efficient and productive manner, and shall specifically avoid game playing, printing excessive copies of documents, files, data, or programs; or attempting to crash or tie-up computer resources. Respect for the work and rights of others are especially important in this environment. Any intentional misbehavior with respect to the electronic environment of the College or members of the College community, i.e., purposely destroying data on workstations or loading unauthorized software, installing unapproved software, etc., will be regarded as unethical and may lead to disciplinary action in accordance with College policy as outlined in the student and employee handbooks.
- Storage of Electronic Format Data/Documents:
- All work related electronic formatted data/documents, whether considered to be an official record or not, that are sent, received, or stored on any computing device, are owned by ChSCC. Also included is any institutional work related data that is stored on personal mobile devices or removable storage, such as flash drives. Electronic mail is stored in the cloud and is managed by individual users.
- Disclosure of Electronic Records:
- Pursuant to the Tennessee Code Annotated, Title 10, Chapter 7, and subject to exemptions contained therein, electronic files (including e-mail correspondence) which are, generated/ received by ChSCC employees and owned/controlled by the State or maintained using ChSCC IT systems and resources may be subject to public inspection upon request by a citizen of the State of Tennessee. ChSCC personnel receiving such a request for public inspection should refer the request to the President or Director of their Organization (or to the President's or Director's designee.) Institutions may charge reasonable fees for making copies of such records, pursuant to T.C.A. § 10-7-506.
- Retention of Electronic Records:
- Electronic records needed to support College functions must be retained, managed, and made accessible in record keeping or filing systems in accordance with established records disposition authorization. Each employee, with the assistance of his or her supervisor as needed, is responsible for ascertaining the disposition requirements for those electronic records in his or her custody. To ensure that all record retention requirements are met, individuals should review TBR Guideline G-070, Disposal of Records. https://policies.tbr.edu/guidelines/records-retention-and-disposal-records.
- Violations of this policy shall subject users to the regular disciplinary processes and procedures of the College for students, staff, administrators, and faculty and may result in loss of their computing privileges. Illegal acts involving ChSCC computing resources may also subject violators to prosecution by local, state, and/or federal authorities. Sanctions for violation of copyright can be very substantial.
- ISO 27002 Section 5.1.1 Information Security Policy Document
- State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008
- Tennessee Code Ann. 39-17-902
- Digital Millennium Copyright Act.
- Tennessee Code Annotated §49-7-1(c) Tennessee Code Annotated, Title 10, Chapter 7, 506
- Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00
- Family Educational Rights and Privacy Act (FERPA)
- ITSCC Library Acceptable Use of Electronic Resources
- Payment Card Industry (PCI) Compliance, 07/01/2001
- 10.Tennessee Board of Regents (TBR) Policy 4:01:05:06
- Tennessee Board of Regents TBR Policy G-054
- Tennessee Board of Regents TBR Policy G-053
- Tennessee Board of Regents TBR Guideline B-80
- Tennessee Board of Regents TBR Guideline B-070
- Chattanooga State Community College ChSCC 08-17 Computer Access
- Chattanooga State Community College ChSCC 08-18 Network Access
Approved by: Executive Staff,
Approved by: President's Council
Approved: President 8/25/2016
Implemented by: Computer Services, 1/7/2005
Reviewed and Revised by: Computer Services, 9/30/08 Rev 1
Reviewed and Revised by: Computer Services, 3/27/09 Rev 2 Reviewed and Revised by: Computer Services, 12/1/2011 Rev 3 Reviewed and Revised by: Computer Services, 5/12/2012 Rev 4
Reviewed without Revision by: Information Technology Services, 5/20/2013
Reviewed and Revised by Information Technology Services, 1/31/2016 Rev 5
Revision 5 Changes
Pages All. Computer Services was changed to reflect new name of Information Technology Services.
Page1. Section - Introduction. Added the following statement, "This document constitutes the policy for the management of all IT resources....
Page 2. Section 4.2. Added the statement, "The distribution and display ...." and
For further specific guidelines review TBR-G-054...."
Page 2. Section 4.4. Added per update to TBR Policy G-054 IT Acceptable Uses.
Page 2. Section 5. Added per update to TBR Policy G-054 IT Acceptable Uses, the statement, "The ChSCC designated agent for receipt of complaints of copyright...."
Page 3. Section 7. Added per update to TBR Policy G-054 IT Acceptable Uses.
Page 3. Section 8. Added per update to TBR Policy G-054 IT Acceptable Uses.
Page 3. Section 9. Added the following link, "(See ChSCC 08:17 Computer Access....)
Page 3. Section 9.1. Added the link, "(See ChSCC 08:18 Network Access...."
Page 4. Section 10. Added statement, "Review of security policies should be done on an annual basis...."
Page 4. Section 10. Added reference to TBR Policy G-054 IT Acceptable Uses.
Page 4. Section 10. Added the statement, "Users shall respect the privacy of other users, and...."
Page 4. Section 10.4. Added the following statement, "Users will not attempt to circumvent security. No one has the authority to...."
Page 5. Section 10.5 Added the following statement," All data required by law to be protected from nondisclosure, unauthorized use, modification, or destruction under FERPA's designation of Personally Identifiable Information (PII), Red Flag or PCI designations shall be protected from unauthorized use, modification or destruction.
Page 5. Section 10.7. Added the following statement, "Only when it is absolutely necessary to perform specific job related duties shall computing platforms, mobile or stationary, store...." per update to TBR Policy G-054 IT Acceptable Uses.
Page 5 Section 10. 7"All users of ChSCC information technology resources are required and responsible to comply with all Payment Card Industry (PCI) and FERPA standards.....irrespective of its source or ownership or the medium used to store it."
Page 5 Section 10. 7"With Banner 'A' numbers and/or Tiger-IDs being used as personal identifier.... (PII) policy. Data Custodians are responsible for oversight of personally identifiable information in their respective area of institutional operations. "
Page 6 Section 10.8 "FERPA training is provided by Student Services, and PCI training will be provided by ITS. Training is to be an on-going process with ITS providing appropriate training that will permit the ChSCC community to comply with both the letter and the spirit of all applicable privacy legislation."
Page 6. Section 11. Ethical Behavior and Rights. Added the following statement, "Users shall at all times endeavor to use...." per update to TBR Policy G-054 IT Acceptable Uses.
Page 6. Section 11. Added the following statement, "....purposely destroying data on workstations...."
Page 6. Section 12. Storage of Electronic Format Data/Documents. Changed title of paragraph from e-Mail to Storage of Electronic Format Data/Documents. Rewrote paragraph.
Page 6. Section 14 - Retention of Electronic Records. Added the statement, "To ensure that all record retention requirements are met, individuals should review TBR Guideline G-070, Disposal of Records." Added per Reference #11.
Page 6. Section 14 - Added the statement, "For specific guidelines concerning email storage, Legal Discovery requirements, etc., please review CHSCC 08:17:04:0, Computer Access."
Chattanooga State Security Warning Banner This system is for use by authorized users only. Individuals accessing this system without authority or in excess of their authority are in violation of Federal and/or State laws, regulations and policies and may be subject to criminal, civil and/or administrative actions. Any information, including personal information, on this computer system may be intercepted, recorded, read, copied and disclosed by and to authorized personnel for administrative purposes, including criminal investigations. Anyone using this system expressly consents to such monitoring and SHOULD HAVE NO EXPECTATION OF PRIVACY for any information stored or communicated in or through this system paras.