Computer and Network Use Policy
Scope
Access to content through modern information technology is essential to fulfilling the College’s mission of education, research, and public service. Technology access encompasses the use of any combination of college-supplied computing and communication systems, electronic devices, software, internal- and external-data networks, databases, catalogues, electronic meeting spaces, and the Internet.
The College’s technology infrastructure also houses and protects mission-critical data and content that can be as valuable as its financial resources.
To ensure that all community members have fair access to resources and that the College’s mission-critical data and electronic property is adequately protected, it is essential that all faculty, staff, students, and other authorized users comply with these appropriate use policies.
This policy supplements New York State, SUNY, and SUNY Canton policies as well as applicable Federal and State laws. SUNY Canton’s Information Services Department (IS) manages and maintains the operation and integrity of technology systems at SUNY Canton and is supervised by the Chief Information Officer or designee, who also serves as the Information Security Officer (ISO) for the College.
This policy applies to all SUNY Canton owned, leased, or operated computing and network resources including host computer systems, SUNY Canton-sponsored computers, peripherals, electronic devices, software, data sets, catalogues, and communications networks that are controlled, administered, or accessed directly or indirectly by the SUNY Canton community.
SUNY Canton’s authorized users include faculty, staff, students, and other authorized, affiliated or non-affiliated individuals or organizations. Use by non-affiliated institutions and organizations will be in accordance with SUNY Administrative Procedures Manual Policy 007.1: Use of Computer Equipment or Services by Non-Affiliated Institutions and Organizations and with the policies herein.
This policy may be supplemented with additional guidelines by college units which may be authorized by the Chief Information Officer or designee to operate their own computers or networks, provided such guidelines are consistent with this policy.
Critical Information Security Checks and Balances
To maintain adequate security checks and balances that minimize the risk to mission-critical information, this policy and policies created by SUNY will be implemented with the goal that no individual simultaneously has both the authority and the capability to access and/or jeopardize substantial portions of the College’s mission-critical information.
General Terms of Use
Authorized use of SUNY Canton owned or operated electronic computing and network resources will be consistent with the education, research, and public-service mission of the SUNY Canton and consistent with this policy.
A copy of this policy is also posted on the SUNY Canton website and is given to and acknowledged by all students before they may gain access to the College’s network. In receiving a SUNY Canton email or network account, every user agrees to comply with the terms of this policy. Failure to comply may result in sanctions and possible disciplinary action.
SUNY Canton makes no warranties with respect to Internet services, and it specifically assumes no responsibilities for the content of any advice or information received by a user through the use of SUNY Canton’s computer network.
All requests for technical assistance are placed through the Information Services Help Desk by phone at (315) 386-7448 or email at helpdesk@canton.edu. Business hours are posted on the website.
New Technology Introductions
Information Services can offer many types of services, equipment, software licenses and is aware of many low-cost technology solutions available through SUNY and New York State collaborations. It is recommended that departments wishing to solve a technology-related problem contact the Help Desk and engage the assistance of Information Services to find a lowest-cost solution that works well and fits with what the College already owns and supports. This will help moderate the cost of maintaining technology for the College over time.
New computing and communication technologies and services introduced at the College such as but not limited to those attached to the College’s Ethernet and wireless networks; software additions or programming modifications that affect or interact with enterprise systems such as Banner, BlackBoard, email, or other standard software; substitutions or changes to standard equipment, etc. must be approved by the Chief Information Officer or designee before purchasing or engaging the services.
Purchases of client computers and peripherals meeting the standard configurations posted on the Information Services website do not require preapproval.
Account Authorization/Termination
Network and system accounts granted to an individual user are for the sole use of that individual only. Each user is responsible for any use of his/her account. If there appears to be a need to share an account’s data with another person, the user should contact the Help Desk for assistance. The need to share accounts is indicative of a problem in how access to the information or system was set up or how needs have changed. Usually, the need to share can be solved in a more secure manner with IS assistance.
All accounts and data access are granted or terminated on a need-to-know basis related to the performance and fulfillment of the user’s current responsibilities. As these responsibilities evolve, the authorization will change as appropriate.
- Student Account Procedures
Each full- and part-time student is granted UCanWeb, email, BlackBoard, and network accounts, and the email account is added to the student listserv. UCanWeb passwords and network usernames are printed on the student’s official schedule, which is obtained from the Registrar.Withdrawn and suspended students’ accounts are routinely disabled; upon notification by the Registrar, the email accounts are removed from the student listserv by Information Services’ staff. Graduating and non-returning students’ accounts are removed from the system on at least a per-semester basis. - Employee Account Procedures
New full-time, part-time, and temporary employees automatically receive email, BlackBoard, and network accounts and are placed on the faculty/staff email listserv. Access to other systems such as UCanWeb or Banner is granted on an as-needed basis. The employee’s supervisor will request the additional account through the Help Desk, identifying the type and level of access needed. If the account involves access to shared data, such as within Banner, then, IS staff will obtain documented authorization for the account from the respective data custodian to determine appropriate permissions before setting up the account.If an employee’s responsibilities change such that access to any electronic system is no longer needed, it is the supervisor’s responsibility to authorize Information Services to remove system access as soon as the responsibility change takes effect.Before employees depart in good standing, they should plan with their supervisors and Information Services to have their data, relevant email, access rights, and any data backups, etc. transferred to the appropriate successor’s account. The successor should verify that he or she can access all of the data before the departing employee leaves the campus. Human Resources flags the departing employee’s Banner record as inactive. If an employee departs without good standing, Human Resources will notify IS, and IS disables the employee’s accounts by changing the password.
Departing employees’ email and data will be archived offline for six months and made available to the supervisor or successor upon request. Normally, after six months, IS will delete the accounts, archived data, and email. If the supervisor responds to Information Services of the need to continue to have access to the account or data beyond six months, the supervisor will negotiate a schedule with Information Services for timely data cleanup and account removal.
Retiring employees are entitled to keep their email accounts, access to library online resources, and presence on the faculty-staff listserv if they place their request with the Help Desk.
- Public and Guest Account Procedures
SUNY Canton technology resources are substantially funded by the students’ technology fees and supplemented by limited State funds set aside for operating this College. To be fair to students, technology resources are not available for public use. The public is encouraged to use the local, public libraries for open Internet access.Guest accounts are generally given restricted access for a limited time and purpose. Requests for guest accounts are made through the Help Desk for courtesies extended to visitors on college-related business. Every guest account will be sponsored by an authorized user who is responsible for ensuring appropriate policy compliance by the guest.
Standard Security and Maintenance Practices for All Users
Administrative access will be maintained by Information Services on all electronic devices and systems that are owned or operated by the College.
- Best-User Practices
The New York State Office of Cyber Security and Critical Infrastructure Coordination have published Cyber Security Awareness, which is a list of best-user practices in maintaining basic security on electronic systems. To protect the College’s systems and data, SUNY Canton users will, as a minimum, become familiar with and follow the sections in these practices on:- User IDs and passwords
- Protecting your information
- Malicious-code protection
- Mobile-computing security
- Wireless security
- Patching
- Possible symptoms of a compromised computer
- Security breaches
- Password Maintenance
Users are expected to change their initial-system passwords the first time they log on to each system. Users are strongly encouraged to change their account passwords frequently; use passwords that are at least nine characters long; use alphabetic, numeric, special characters, and upper- and lower-case characters in their passwords. Although Information Services does not presently enforce these or similar best practices in its systems security, it reserves the right to do so at a future date on any or all systems to protect the information resources of the College.Users may not share accounts and passwords with others. If an account owner’s password is obtained by another individual, it is the account owner’s responsibility to change the password as soon as this is suspected. An exception may be made in specific situations approved by the Chief Information Officer or designee, such as top-level administrative accounts where only one account with those privileges can be issued to perform the functions, and more than one person must access the account to ensure full-staff coverage. - Physical and Account Security
Users are responsible for physically securing computers and other devices configured to access the network and logging off systems containing sensitive data before they leave their workspace, even for a short time. - Basic Computing Knowledge
Users are responsible for maintaining a basic, working knowledge of the current versions of standard end-user tools and software in use on the College’s network in order to adequately perform their job functions and to provide basic, security maintenance and housekeeping on their computers. - Security and Virus Protection Updates
Information Services attempts to make security maintenance on computing equipment easy and automatic for users. However, all users are ultimately responsible for ensuring that security patches, virus protection, adware and spyware prevention, cleanup software, and other security tools are regularly maintained with their latest versions on the computing devices used to attach to the network. If a user notices that security patches or virus protection are not being regularly updated (i.e., every few days) on their computer, they should notify the Help Desk. If in doubt about security patches, users can visit the Microsoft website to check for updates to their operating system or the Microsoft Office website for Office updates. - Basic Housekeeping on Computers
Failure to perform routine housekeeping results in poor computer performance and reduced individual productivity. Users are responsible for regularly performing routine housekeeping on their computers (file cleanup, disk-space compression, etc.) and using security-maintenance tools that keep their computers free of intrusive elements such as viruses, worms, spyware, adware, etc. In most cases, the Help Desk has found that users’ complaints of poor computer performance is not the computer itself but stems from the user failing to do ordinary housekeeping on their computer. It is recommended that users perform a system cleanup at least weekly if not automatically performed upon shutdown.
Data Ownership and Privacy
Except where labor contracts provide copyright provisions, in accordance with New York State policy, all electronic data and information created and/or maintained on New York State agency- owned equipment, including email, documents, programs, etc., are considered the records of New York State. All data maintained on SUNY Canton owned, leased, or any other equipment attached to the SUNY Canton network and systems are subject to release to the public under the Freedom of Information Law.
No user should consider the data on their computer and electronic systems to be completely private.
SUNY Canton upholds principles of academic freedom and does not, as a general practice, monitor or unreasonably restrict activity or the content of material transported across its systems and networks. However, with probable cause, in accordance with the Electronic Systems Investigations section of this policy, the President may authorize the ISO, with the assistance of Information Services, the right to conduct investigations into an individual’s data and system activities; monitor or limit access to their networks and systems; copy and/or remove content, transactions, or other evidence of misconduct; or take other similar measures when it appears that individual rights; applicable college or university policies or codes; contractual obligations; or local, State, or Federal laws may have been violated or that data essential to the College is at risk of damage or loss.
Because the College owns its equipment and records, permission to access its equipment and records is implied. However, IS staff will respect reasonable individual rights to privacy and will only access data in accordance with this policy. IS staff will not casually or routinely browse the contents of users’ data files without reasonable cause. Access will be limited to:
- That minimally required for the satisfactory performance of Information Services’ role of maintenance, security, and integrity protection responsibilities of electronic system resources and data that are property of, or entrusted to, SUNY Canton and its affiliates.
- Responding to requests for, or ensure, compliance with this policy, SUNY policies, and other applicable policies and regulations.
Although numerous, preventative, best-effort security measures are taken to protect the integrity and access of SUNY Canton’s electronic resources, users should be aware that these provide no guarantee that SUNY Canton’s electronic systems are immune to unauthorized access or tampering. In addition, the purpose of an account and password is to limit and manage authorized access to SUNY Canton’s files and information. Use of a password does not guarantee or protect users’ privacy for personal and other improper use of university equipment or facilities.
Confidentiality
The ISO has designated IS staff to be the security custodians for the College’s electronic information. IS staff are responsible for taking or ensuring implementation of preventative measures, intrusion detection, recovery, and restoration of all electronic systems. This typically includes, but is not limited to, activities such as implementing virus and other incursion protection; firewalls; ensuring the application of security patches to all systems including individual and shared equipment; scanning incoming and outgoing Internet, internal network, and email traffic for potential threats; monitoring network traffic for malicious behavior and investigating and resolving the same; removing content identified as potentially infected; conducting inventories of computers, systems, equipment, and software; ensuring compliance with this and other applicable policies; establishing and maintaining operating environments on systems; housekeeping to reclaim unused resources; preparing, repairing, and restoring personal computers and their user data; and backing up data on systems. Many, but not all, of these procedures have been automated such that it is not usually necessary to actually view the content of apparent policy-compliant traffic, systems, and data.
In cases where large amounts of data on a personal computer must be manually accessed or transferred by staff, such as when rebuilding a computer or restoring lost user-data files, Information Services staff will request permission to access the data from the user and provide the user with an opportunity to be present while these actions are being performed, imposing a time limit to the offer. If the user does not respond to the access request within the stated period and the task must be completed in a timely way, IS staff will proceed with the task without the user’s presence. IS staff will exercise judgment to engage the least invasive method possible to adequately perform the task, minimizing contact with the user’s data. There may be unusual circumstances, such as during a network virus attack, where this courtesy may be temporarily suspended in order to take necessary measures to contain an attack, limit damage, protect resources, or rapidly restore systems in an emergency.
In cases where a user’s data has been viewed, Information Services staff will treat such data as confidential and will not disclose its contents to any other personnel without permission of the owner, unless there is reason to believe that policies or laws have been violated, or the data is essential to the College and at risk. If violations are suspected, IS staff will follow the procedures below for the Electronic Systems Investigations.
Copyrights and File Sharing
SUNY Canton observes, and requires all of its electronic-systems users to observe, all copyright laws and fair-use regulations regarding electronic data and systems. No user will use college resources to make a copy of or download any copyrighted material, in electronic or hardcopy format, in violation of the terms of copyright legislation.
No user will view, copy, alter, or destroy another user’s electronic files without permission from the data creator or custodian, except in accordance with this policy, SUNY or NYS policy, applicable laws, or regulations.
Software that resides on SUNY Canton’s computing network(s) is licensed or owned by the University, SUNY Canton, or third parties and is protected by copyright laws, licenses, and/or other contractual agreements. Users are required to respect and abide by the terms and conditions of software use and redistribution licenses. Examples of software copyright restrictions may include prohibitions against copying programs or data for use on SUNY Canton’s computing network(s) or distribution outside the University; the resale of data or programs, use of them for non-educational purposes, or for financial gain; and public disclosure of information about programs (e.g., source code) without the owner’s authorization.
More information about copyrights in the educational environment can be obtained at the website, http://copyright.iu.edu/.
If a user is in doubt about whether or not their proposed activities might be in violation of copyright legislation, the user should contact the Chief Information Officer or designee, Systems Administrator, or Network Administrator for further clarification.
Data and Records Backup
- User Responsibilities For Networked Data Maintenance
Every user is responsible for ensuring that their data, especially college, mission-critical data, is backed up regularly and in accordance with SUNY and local departmental, data-retention policies and those electronic-data backups have been tested to ensure that data can be recovered if necessary from the backup media.The ISO has designated IS to be the custodian of the College’s mission-critical, electronic data. To minimize the risk of data loss to the College, IS provides secured-network data storage, backup, and recovery services to make data and records backup and recovery easier for users.Unless an exception is authorized by the President (as listed below), all current versions of college, mission-critical information will be maintained on the College’s shared network storage to enable more efficient, manageable, and traceable data backup and recovery. It is each data owner’s responsibility to work with the Help Desk Manager to ensure that all the employees modifying mission-critical data save the data on the College’s network storage and use the College’s central backup services. (Most data owners are area or department supervisors, but there may be exceptions to this general rule.)
- Local Data Maintenance Authorization
In some cases, the President may decide that it is in the College’s best interest to authorize specific users to do their own data backups, rather than having Information Services perform this task. In such a case, the user will provide the following in the authorization information to the ISO that outlines essential components of a data backup and recovery plan:- The date that this authorization is being prepared or updated
- The user responsible for the data and his or her campus title
- The type (or domain) and nature of data being excluded from the policy
- What aspects of the College’s mission and operation would be negatively affected by the partial or complete loss or public release of this information (level of risk to the College)
- Rationale for exclusion of this data from the policy
- Where or what system or workstation on which the data will normally be located
- How the system(s) containing the data and the backup equipment will be physically secured from unauthorized access
- How user access is limited to the appropriate authorized users
- Who the authorized users of the data are and date of authorization
- Data retention time (how long information is maintained online)
- Equipment and media used for normal data storage and backups
- How many weeks or months of historical data backups are to be maintained in archived, offline backup form
- Frequency with which backups of current, online data will be taken
- How backups are validated
- Secure, environmentally-controlled site where offsite backups are moved to
- How backups are secured and accessed when needed
- The designated alternate user who has direct, secure access to the data backups and user’s computer
- Signature of user accepting responsibility for the data and backups
- Signature of alternate user responsible for the data
- Authorizing signature of area supervisor, if applicable
- Authorizing signature of Vice President, if applicable
- Authorizing signature of President
- Acknowledgement signature showing document receipt by the Chief Information Officer or designee
The authorized employee’s Administrative Officer is responsible for ensuring that the data backup and recovery plan is performed appropriately, including:
- The system(s) and backups are physically and electronically secured.
- Data and system integrity are maintained.
- Data backups are routinely taken and validated.
- Backup media is labeled properly, tracked, and moved offsite as planned.
- Backup media is regularly replaced with new media in accordance with best practices identified by the manufacturer for the media type and expected lifespan.
- The alternate user has access to the offsite backups without assistance from the primary user and is able to restore the data on demand.
- The above authorization record is kept current.
The appropriate authorizations will be signed, and a copy of the authorization will be given to the ISO for IS records. Through this authorization procedure, the responsibility for this domain of the data’s integrity and security is fully transferred from the Chief Information Officer or designee and IS to the designated and alternate users, their supervisors, and respective officers.
Data Security and Recovery
SUNY Canton provides best-effort security, systems reliability, and recovery against unauthorized intrusion and damage to systems and state records stored on central facilities in accordance with the Termination/Demobilization/Recovery Plan and Business Resumption Plan which are included in the Information Security Emergency Plans.
SUNY Canton also provides some facilities for archiving and retrieving non-critical system and users’ files after accidental loss of data for a limited time period. Data-recovery requests may be placed through the Help Desk.
Data Security and Transport of Confidential, Mission-Critical, and Personally-Identifiable Information
No user may employ the Internet, other WANs, wireless technologies, or removable data transport devices (such as, but not limited to, PDAs, cell phones, iPods, CDs, DVDs, floppy disks, zip disks, memory sticks, external drives, etc.,) to transport or hold any college mission- critical, confidential, or personally-identifiable information, on or off campus, unless such data is secured through encryption and password protection in accordance with local Information Security policies and practices.
Physical-security methods must be used at all times to protect any removable or easily transported media containing confidential, mission-critical, or personally-identifiable information.
Education on how to appropriately and securely transport confidential and private information can be obtained through the Help Desk from the Systems and Security Administrator or the Network Administrator.
Redundant-Access Method to Secured Data
Any time encryption, password security, or data backups are taken and moved offsite or any other security method is employed to protect any college mission-critical, confidential, or personally-identifiable information, security measures will be immediately made available to a second person who has been appropriately authorized to access the information in accordance with this policy and the policies created by SUNY.
Email Backup and Retention
SUNY Canton’s email servers are designed and intended for distribution of email to end-users’ computers or to users’ network-based storage. SUNY Canton considers email passing through its central servers to be transient, temporary data and does not, as a policy, retain email records for extended, data-recovery periods on the central servers. Email retention and backup on users’ computers is at the discretion and responsibility of end users.
Policy on Mass Email Distribution to SUNY Canton’s Faculty and Staff
To eliminate the distribution of inappropriate messages through the campus faculty/staff listserv, all bulk messages distributed to faculty and staff must meet one or more of the following criteria:
- The message is important for the proper execution of daily business.
- The message notifies the campus community of campus events or campus-related news items of potential interest to the majority of faculty and staff.
- The message notifies the community of significant changes in governance, policy, and practice.
- The message alerts the community of health and safety issues.
- The message assists the College in fulfilling its mission or engages open discussion about academic, administrative, strategic, or current-event issues relevant to the College and its mission.
- Messages will be permitted for organizations that are officially affiliated with the campus. Examples of affiliated organizations include the Campus Store, Campus Food Services, etc.
Types of messages that are NOT acceptable include, but are not limited to:
- Messages that are not primarily for the benefit of SUNY Canton.
- Exemptions may be granted by the Director of Public Relations to community organizations that have an official connection to the College. Such connection might consist of a designated board position for a college employee or inclusion in NYS-approved programs, such as the State Employees Federated Appeal (SEFA).
- Inclusion of messages for the benefit of off-campus organizations solely because of personal/family affiliations of state employees represents misuse of state resources.
- Commercial solicitations.
- Personal messages.
- Exemptions may be granted by the Director of Public Relations for messages announcing personal events that have the potential to significantly impact professional relationships. Examples include births in families, retirements, deaths of members of campus community, etc.
All messages will be monitored for this policy’s compliance by the Director of Public Relations or a designee. The following individual or their designee will also serve as moderators for their own messages and of individuals in their respective functional units.
- The President and Vice Presidents
- School Deans
- Directors of Administrative Units
- Directors of College Association Units
- Faculty/Staff Governance and Union Leaders
In accordance with this policy, the bulk emailing of unsolicited messages to faculty, staff, or students through address lists generated via other means (including databases/lists of addresses created from other sources) is prohibited. Bulk email should be distributed only through the policy described above.
Messages for all of the faculty and staff may be submitted for distribution by sending them to CANTONFS-L@LISTSERV.CANTON.EDU.
Standard Computers, Client Devices, and Annual-Refresh Cycles
To ensure the highest level of availability of computing resources at the lowest lifecycle cost and labor expense to the College, all client computers and devices attached to the network will be one of the current, standard configurations approved for use. All purchase requests for new computers by state or auxiliary organizations will attach a copy of one of the current, standard configuration quotes from the IS website.
The standard, current, client, computer configurations and quotes are maintained on the IS website. Configurations and quotes are reviewed by IS staff at least twice per year. The College seeks to retain the use of its purchased computers for at least four, sometimes five, and rarely, six years. Heavily-used lab and faculty computers are replaced every three years. Users making lighter use of computers may receive older configurations at the discretion of the respective Vice President. If necessary, at year three or four, computer memory or disk upgrades may be applied to ensure adequate performance with the current versions of the operating system and office software. Each Spring, IS staff review the networked-computer inventory in each division and auxiliary organization and makes recommendations to the respective Vice President to upgrade or replace computers.
Users seeking an upgrade or replacement computer should contact their respective supervisor early in the calendar year. The general rule is one employee, one computer.
The same set of software is used for all client computers. In the spring of each year, IS solicits faculty and staff for new software based on the needs for the upcoming, academic year. IS staff prepare a standard-software image for each current-hardware configuration. During the summer, all student computers and new faculty/staff computers are refreshed with the appropriate new-software image.
If a user feels that their needs are not met by the currently available configurations, the user can contact the Help Desk for assistance in satisfying his or her needs. If a user presents IS with a nonstandard computer for attachment to the network, IS will deny network access, unless the Chief Information Officer or designee makes an exception.
Personally-Owned Equipment
No personally-owned technology or telephone equipment may be installed by faculty or staff unless permission has been granted by the Chief Information Officer or designee. No personal equipment may be installed for personal use. Generally, personal equipment may not be installed for business use. Certain classes of equipment, which are not normally furnished by the campus and which are personally owned, may be installed with permission of the Chief Information Officer or designee for on-the-job use providing the equipment or its use does not interfere with the College’s resources, the owner complies with technology-use policies described in this document, and is willing to accept personal-maintenance responsibility. If a user chooses to install personally-owned equipment with the permission of the Chief Information Officer or designee, the College accepts no responsibility for its maintenance or any liability for damage to any personal property, data, or personal injury. Any such equipment installed may not be used to access college resources, for example (but not limited to) Internet services for personal use.
Personal equipment installed outside this policy may be removed by the IS staff. If there is damage caused to campus equipment resulting from unauthorized installation of personally-owned equipment, the individual responsible will be billed or held liable for damages to the College or its resources. No personally-owned equipment will be serviced by Information Services staff including, but not limited to, student PCs or equipment previously owned by the campus and later disposed of according to the Computer Surplus and Data Cleansing section below.
Computer Surplus and Data Cleansing
Generally, computers are not sent to surplus at SUNY Canton until there is a genuine technical, performance, or management problem with retaining them on the network, rendering them unfit for use in this environment. Equipment due for surplus will be processed according to Physical Plant policies and procedures. In no case will computers designated for surplus be returned to the College’s network without the approval of the Chief Information Officer or designee.
Before any computer leaves the campus, all computers’ hard drives due for surplus will be removed by IS staff and marked with the prior user’s name. Drives will be retained for an appropriate period of time to ensure that all data has been moved to the new computer. After that time, drives will be wiped clean of data and either reused if salvageable or sent for surplus.
Standard Client Software
Student lab computers are purchased and maintained solely with the Student Technology Fee. They are not available for faculty or staff use. Faculty or staff needing additional or spare computers should contact their respective supervisor.
All computers will be loaded with the standard configuration of software developed by the College. This configuration is developed typically in the spring prior to summer maintenance procedures. Solicitations for standard software to include in the following year’s software image are made in the spring by IS staff. Any user requiring new or additional software in the following year should contact the Help Desk by the advertised due date to obtain assistance in identifying the type of software license to purchase, identifying funds for purchasing the software, and to make sure the software is included in the standard configuration for the upcoming year. This includes faculty and those doing testing or special events using software planned for lab computers.
Installation of the standard-configuration software on student lab computers takes IS staff most of the summer to complete. If faculty fail to notify IS in advance of the standard image’s preparation of software they need for fall instruction, it will probably not be possible to include it on lab computers. Students do not have permission to install software on lab computers. Faculty should seek Help Desk assistance in situations where they want to use software released by book publishers that must be installed by students on computers.
At advertised times, IS may refresh the software image on the client computers to ensure network security and manageability. When such an announcement is made, users who have additional software and data stored on their computers should work closely with Help Desk personnel to ensure that this data and software is restored after the computers are re-imaged.
Wireless Network Interference
Students and faculty are forewarned that the IEEE 802.11b – compliant, wireless network installed in various campus locations is susceptible to interference from operating certain types of equipment, such as 2.4 GHz and higher-powered cordless telephones, microwave ovens, and “Bluetooth” technology wireless equipment. Individuals are strongly discouraged from bringing and using such equipment on campus. If this policy is disregarded and this type of equipment causes a problem with wireless network reception, the individual may be required to disable and/or remove the equipment from campus.
Banner Student Information System
The Sunguard/SCT Banner Student Information System is used for storing student information, grades, financial collections, financial aid, alumni data, residence data, and other student-related information. The College’s web-based interface to Banner is called UCanWeb. Banner is the primary, student-information enterprise system used at the College. Its database is considered the current version, “master” data to which other enterprise systems may interface.
- Banner Advisory Committee
Cross-departmental issues involving Banner and modification methods or issues involving shared data are discussed and resolved in the Banner Advisory Committee. Information System’s Enterprise Systems Manager or designee chairs this committee. Membership includes key users within all departments generating or modifying data in Banner, plus members of the Enterprise Systems team. - Software Modifications
“Off-the-shelf”, SICAS-supported Banner and other enterprise system codes will be used without modification to the greatest extent possible in the interests of cost containment. All local modifications or custom additions to Banner must be approved by the Chief Information Officer or designee. Where modifications are approved, the final, tested, and accepted version of the modified source and object code module and pathname must be registered with IS. Failing to do so may result in loss of the custom code during routine upgrades and recovery after system failure. - Banner Access and Data-Entry Standards
Modifications to data and specific policies regarding granting access to Banner are handled in accordance with the procedures identified in the document, Banner Access and Data-Entry Standards. These procedures are maintained by the Banner Advisory Committee.
Computer and Network Use Violation Examples
- Failing to adhere to any term of this policy is a violation.
- Failing to adhere to Information Security policies is a violation.
- No user will, under any circumstances, use SUNY Canton electronic resources to libel, slander, or harass any other person or use these resources to violate any other institutional or SUNY policy or applicable law.
- Failing to adhere to, or passively or actively subverting, standard-security practices is prohibited.
- Destruction or failure to maintain the integrity of data relevant to the College mission and operations, and/or in violation of data-retention policies and procedures, is prohibited.
- Abuse of SUNY Canton computer resources is prohibited. Examples include, but are not limited to:
- Allowing Unauthorized Access
Sharing computer accounts, passwords, and other types of authorization with others and posting passwords with account names in a readily accessible, unsecured location (i.e., notes attached to a computer screen, posted on the wall, etc.) are prohibited. Users may not run or otherwise configure software or hardware to intentionally allow access by unauthorized persons. Users are expected to log off systems, the network, and lock their offices and workspaces when they leave to physically secure client computers. - Circumventing Security
Users are prohibited from using computer programs, devices, private networks, or any other method to bypass or subvert security measures. Other examples include: turning off or blocking virus-sweeping and automatic operating-system updates, creating additional layers of password protection that subvert administrative access, repeatedly not responding to a request to make a laptop available for routine maintenance/updates, and failing to cooperate with an audit or investigation. Any attempt to consciously subvert security may be subject to, at least, second-level sanctions depending on the damage done by the action. - Unfair Resource Use
Deliberate attempts to monopolize shared resources, degrade the performance of a computer system or network, or to deprive authorized personnel of resources or access to any SUNY Canton computer or network are prohibited. - Private Networks
Operation and use of private networks not explicitly authorized by Information Services include, but not limited to, the use of independent wireless access points, peer-to-peer networks, use of client devices as private servers, etc. and are prohibited. Wireless access points which are built into purchased equipment will be disabled before such equipment may be used within range of the College’s wireless network. - Personal or Commercial Use
Application of state-owned computing resources for personal or commercial use is inappropriate (i.e., (but not limited to) shopping, entertainment, downloading music or videos, excessive use of the Internet to where it interferes with work assignments, running a personal or commercial business, excessive personal chatting on email or messaging that is unrelated to college business, etc.). - Game Playing
Game playing on lab and office computers, and when using the College’s network, is considered to be generally outside the scope of State and academic business, and inappropriate, except when it is in association with a college-sponsored event. Recreational game players occupying a seat in a public, computing facility will release the seat when others who need to use the facility for academic or research purposes are waiting. - Movie and Music Sharing
Downloading or sharing music and movie files which is unrelated to academic delivery and the College’s mission is unauthorized. In addition, it is illegal to share copyrighted files without permission of the copyright owner. Violators caught are subject to legal as well as disciplinary action. - Chain Letters and Advertising
The propagation of chain letters or advertising for other than college-related business is considered an unacceptable practice by SUNY and is prohibited. - Sharing Email Address Lists
Unauthorized distribution of any college email addresses to third parties, without the permission of the email owner, is prohibited. - Unauthorized Servers
The establishment of unauthorized servers is prohibited, such as, but not limited to, a background process that services incoming requests from anonymous users for purposes of gaming, chatting, or browsing the Web. - Departmental Servers
Departmental servers are discouraged and will be preauthorized by the Chief Information Officer or designee. Appropriate network-security measures will be taken to limit the liability in case the server is hacked. They are discouraged for several reasons: the high level of damage that can quickly be done to the network from a server, the difficulties in insuring that the server is physically secured and regularly backed up, and that security patches and other measures are applied in a timely and often rapid-response manner and that these procedures are consistent with those applied to other servers to insure network security. - Unauthorized Software Installations
Installation of software on college operated computers or systems which are unrelated to the College’s business and mission is prohibited. Users requiring installation of software not already provided on standard equipment should contact the Help Desk for support. - Unauthorized Monitoring
A user may not use computing resources for unauthorized monitoring of electronic communications. - Child Pornography
Child pornography and any other activity involving harm to minors is illegal. The College considers this to be a serious, third-level offense. The College seeks to provide a safe environment for its students, many of whom are under legal age. Anyone found using college technology to download, view, transmit, or distribute child pornography will be disciplined, and charges will be brought. - Adult Pornography
Pornography is interpreted as offensive by many and can lead to charges of sexual harassment in the workplace. Any use of pornography on college equipment and the network that is required for academic instruction will be clearly documented and pre-approved by the Academic Dean and the signed authorization filed with the Chief Information Officer or designee before use. Failure to do so will be interpreted as recreational use of equipment, which is prohibited. - Message Flooding
Posting a message to multiple list servers or news groups, with the intention of reaching as many users as possible, with material unrelated to the College, is prohibited. - Political Advertising, Propaganda, or Campaigning
The use of SUNY Canton computers and networks will be in accordance with University policy on use of University facilities for political purposes found at (SUNY Administrative Procedures Manual Policy 5603, Appendix A) https://www.suny.edu/sunypp/documents.cfm?doc_id=374.
- Allowing Unauthorized Access
Electronic Systems Investigations
- Discovery of Need for Investigation
Any SUNY Canton electronic systems user who witnesses evidence that an electronic investigation may be warranted should report the evidence to the responsible President’s Council member, or report it directly to the President as appropriate.No IS staff member may conduct an electronic-data investigation without receipt of a completed Electronic Data Investigation Request Form, authorized by the President. The Investigation Requestor will be a President’s Council member. - Immediate Security and Data Protection Measures
Upon discovery of evidence of the need for an investigation and/or if any mission-critical data or systems are presumed by the Investigation Requestor or IS staff to be at risk either before or during the investigation, Information Services’ staff will notify the President’s Office of an intent to take risk-mitigation actions to secure critical data and systems while preserving evidence and the subsequent investigation’s integrity. Protective measures will be taken, including, but not be limited to, disabling or limiting access by the suspected offending party, quarantining an invasive element, taking a backup of data that is at risk or pertinent to the investigation, etc. - Obtaining Proper Authorization
The Investigation Requestor will complete the Electronic Data Investigation Request Form, and obtain the President’s authorization. The President may involve other Vice Presidents, Human Resources, or University Police as deemed appropriate. The Chief Information Officer or designee will be sent a copy of the completed request for Information Security records. The President may authorize that the investigation occur without the user’s knowledge.If it is necessary to limit or disable the user’s access before or during the investigation, the President will reauthorize the user’s access at the appropriate time.The institution’s need to protect its data and systems will be balanced against an employee’s reasonable right to privacy. Conducting an electronic-systems investigation will be viewed as a serious and unusual matter, typically involving either an emergency situation or an elevated level of personnel action. Sound management practices, common courtesies, and standard Human Resource procedures should be applied beforehand and, if necessary, with the use of this procedure. The ability to monitor electronic-system activity will not carry with it the right to do so indiscriminately, or nullify the need to balance ethics regarding whether it is appropriate to do so. The primary objective of this procedure will not be to harass any individual or group or be used as a means of conducting routine monitoring of individual or group activity beyond the purposes described above. When using this procedure, parallel-ethical guidelines should be applied as if the activity in question had been conducted using paper or non-electronic systems and means.
- Information Confidentiality
Information Services’ staff are to treat all investigations, before, during, and after the event, with the strictest confidence, and limit the number of people involved in the investigation to those with a need to know. - Information Security Violation Event Recording
In all cases, whether described below or not, if it appears that IS has been violated, a record of the event will be made in the College’s Information Security Event Log. If appropriate, the event will be reported to SUNY in accordance with New York State and SUNY Information Security policies. - General Procedures for Conducting the Investigation
The general procedures for all investigations are:- Investigation Requestor will establish probable cause and verbally notify the President’s Office and the Chief Information Officer or designee with the information identified in the Electronic Investigation Request Form.
- If there is concern that information or systems are in jeopardy, the Requestor will contact IS, in particular the Systems Administrator, Network Administrator, or Help Desk Manager (prioritized in that order of availability), and electronically copy the Chief Information Officer or designee and President requesting that appropriate, immediate risk-mitigation measures be taken to secure critical data and systems.
- If emergency data and systems protection may be warranted, IS will notify the President’s Office and take protective measures using their best judgment of the information available at the time. No investigation will be made at that time.
- Investigation Requestor will complete and submit the Electronic Investigation Request Form, obtain the President’s authorization, and acknowledgement of receipt by the Chief Information Officer or designee.
- Information Services will, in strict confidence, conduct the investigation to collect necessary evidence involving only those with a need to know.
- Information Services will document evidence found, and return it to the President’s Office with a copy to the Chief Information Officer or designee. The President will take any action deemed appropriate.
- If the incident constitutes a non-routine security incursion, in accordance with NYS Cyber Security Policy, the Chief Information Officer or designee will report the incident to SUNY.
- Job-Related Emergency Data Access
Situations may arise where a supervisor or other user must, in good faith, gain access to an absent user’s computer and data to perform or continue essential and time-critical, assigned job functions. In this case, the supervisor or user requiring access will make a written or emailed request to the Chief Information Officer or designee, copying the Help Desk Manager and user, documenting the need to know and reason why the user is not being directly approached for the information. Information Services will provide the supervisor with access to the computer or data, notify the user that such access was given, and what data was provided. - Subpoenas, Criminal Investigations, and Similar Releases of Information
In the event that a person representing law enforcement or bearing a subpoena appears and demands a release of information contained in college records, or if an employee receives a request for information under the Freedom of Information Law (FOIL), no information will be released until the request has been authorized by the Records Access Officer, who acts as the College’s Information Officer. The Chief Information Officer or designee will be notified of the event if it involves electronic data, and the event will be recorded in the Information Security Event log.
Sanctions
Violators of this policy will be subject to existing student or employee counseling and disciplinary procedures of SUNY Canton. In addition, illegal acts involving SUNY Canton’s electronic resources may also subject users to prosecution by local, State, and Federal authorities and public release of information contained in electronic systems.
Sanction levels will be applied in a manner consistent with the level of damage to the College and its community members, consistent with Human Resources policy, and may be elevated based on intent to do harm, intent to violate, and/or the number of repeat offenses by the user.
- Faculty and Staff Violations
- First Offense: The Chief Information Officer will notify the user via email of the nature of the first offense, request that the user correct the problem, and send a copy of the Computer and Network Use Policy to the individual. The Chief Information Officer or designeeg will request that the user remove offensive material, and/or may terminate or limit network access, based on the nature of the offense. Depending on the severity of the offense, the Chief Information Officer or designee may also notify the supervisor and Human Resources. The supervisor may choose to hold a counseling session with the employee if warranted. The employee is responsible for notifying the Chief Information Officer or designee, and supervisor, as applicable, when the condition has been corrected.
- Second Offense: The Chief Information Officer or designee will notify the user, and the matter will be referred to the supervisor and Human Resources. The supervisor will initiate a counseling session or continue disciplinary action, as applicable.
- Third Offense: The Chief Information Officer or designee will notify the supervisor and Human Resources, who will continue disciplinary action.
- Student Violations
The Chief Information Officer will notify the student via email of the nature of the offense, request that the student correct the problem, and send a copy of the Computer and Network Use Policy to the individual.Depending on the nature and severity of the offense, or prior offenses, the Chief Information Officer or designee may also notify the Dean of Students. Subsequent action will be in accordance with standard, student disciplinary policies and procedures. - Outside Organizations Utilizing SUNY Canton’s Technology Resources
- First Offense: Upon notification of the violation, the Chief Information Officer will notify the user via email of the nature of the offense, request that the user correct the problem, and send a copy of the Computer and Network Use Policy to the individual. Depending on the nature and severity of the offense, the Chief Information Officer or designee may also notify the SUNY Canton sponsoring Director or Dean. The Director or Dean may choose to hold a counseling session with the user if warranted.
- Second Offense: The Chief Information Officer or designee will notify the user, and copy the SUNY Canton Director or Dean, who may choose to initiate or continue disciplinary action.
- Third Offense: The Director or Dean will be notified with disciplinary action.