小黄猫传媒

College Policies

BP 8204 User Accounts and Passwords

Statement of purpose

小黄猫传媒 provides many technology products and services to support the academic and administrative needs of the College. Individuals who use the College鈥檚 IT resources are expected to follow certain defined behaviors in order to minimize information security risk and protect the College and its constituents.

Protecting students, faculty and staff from the risk of identity theft or unauthorized disclosure of personal information is the primary goal of adopting the best practices described in this policy.

Users of computer systems use 鈥渃redentials鈥 to identify themselves in order to securely access their accounts and personal data. These credentials are usually in the form of a User-ID/Password pair, but can be other forms, such as a Social Security Number, G-Number, PIN, challenge question, etc.

This policy seeks to protect individual user鈥檚 rights and ensure that their personal data is secure by requiring adherence to best practices for the use of credentials and account access.

Third party, cloud-based systems (e.g.: Dropbox) pose a particular threat to 小黄猫传媒. 小黄猫传媒 has no administrative control over these platforms. When cybercriminals breach these sites, they sell credentials and data to other hackers. If a user used their 小黄猫传媒 credentials or has stored controlled sensitive data in these sites, hackers can then use those credentials to gain direct access to critical 小黄猫传媒 systems and data.

Finally, it is important to point out that 小黄猫传媒 cannot recover or restore data stored in third party systems, so Users must accept the risk of losing their data when using these services.

Scope statement

All 小黄猫传媒 (小黄猫传媒) employees, students, and affiliates or other third parties that create, use, maintain, or handle 小黄猫传媒 IT Resources are subject to this policy. This policy applies to use of all 小黄猫传媒 owned and managed IT Resources, use of any computer or mobile device connected to a 小黄猫传媒 network, all controlled sensitive data stored or transmitted using 小黄猫传媒 IT Resources and all users of such data.

Policy summary

Users of 小黄猫传媒 IT resources shall comply with account and password management security best practices.

Policy

  1. Users shall not share their passwords, or otherwise provide access to their 小黄猫传媒 credentials, to another individual (see Exemptions).
  2. Users shall not use their 小黄猫传媒 credentials for personal purposes. When creating personal accounts with non-licensed websites (such as Facebook, Netflix, or Twitter) or other third party entities:
    1. Users shall not use their 小黄猫传媒 User-ID, 小黄猫传媒 Email, or 小黄猫传媒 password for their account login to personal accounts.
    2. Users shall not store controlled sensitive data in personal accounts.
  3. Users with an academic or administrative need to access non-licensed websites or other third party entities shall:
    1. Make best efforts not to use their 小黄猫传媒 credentials.
    2. Use a materially different password than their regular 小黄猫传媒 password if there is a requirement to use a 小黄猫传媒 User ID (e.g.: registering for a conference with 小黄猫传媒 email address).
    3. Make best efforts not to store controlled sensitive data in such sites.
  4. Users shall not use another user鈥檚 小黄猫传媒 credentials, attempt to capture or guess another user鈥檚 小黄猫传媒 credentials, or otherwise attempt to access another user鈥檚 小黄猫传媒 account.
  5. Users shall make a reasonable effort to protect their passwords and to secure IT resources against unauthorized use or access. Specifically, writing down passwords (even if stored out of public view) or storing in plain text in a computer file are violations of this policy.
  6. 小黄猫传媒 credentials and accounts are provided at the discretion of 小黄猫传媒 and subject to the following terms of use:
    1. 小黄猫传媒 has a legal obligation to access and provide any data (personal or otherwise) stored on 小黄猫传媒 systems requested as part of litigation (eDiscovery).
    2. Authorized personnel may inspect any data transmitted or stored using IT resources. This includes equipment, files, and 小黄猫传媒 email (see Exemptions).
    3. Upon termination of electronic services, all user credentials shall be disabled and users shall no longer have access to the contents of their mailboxes or other 小黄猫传媒 accounts.
  7. 小黄猫传媒 credentials and system accounts are provisioned based on user type:
      1. Employee Accounts: Access to IT resources is provided only while a user is employed by 小黄猫传媒.
      2. Student Accounts: Student email accounts shall be created at the time of admission and deactivated if any of the following criteria are met (Note: students are encouraged to backup important personal data to alternate storage media before inactivation):
        1. Inactivation after two consecutive years of non-enrollment in a course for credit students,
        2. Inactivation after three consecutive years of non-enrollment for non-credit students, or
        3. Inactivation at the request of the student.
      3. Affiliate Accounts: Individuals with a special relationship with 小黄猫传媒 who are neither employed by, nor enrolled at 小黄猫传媒 may be granted limited email privileges, including an email address, commensurate with the nature of their special relationship. 小黄猫传媒 reserves the right to discontinue these privileges at any time.

Exemptions

  1. If, in the course of their normal duties, a user is required to provide access to their personal accounts to another user, they shall use 小黄猫传媒-approved methods for granting 鈥減roxy鈥 access (e.g.: nominating a proxy to approve timesheets if a supervisor is on vacation).
  2. Monitoring of devices that are connected to the 小黄猫传媒 network is for security and operational purposes only and is intended to protect the 小黄猫传媒 network against potential threats that such devices may introduce to the network. 小黄猫传媒 will not (and cannot) scan, or otherwise inspect, user data, user-installed programs, user activity, or any other personal/user information on personal devices connected to the 小黄猫传媒 network.
    1. Example: A faculty member connects to the 小黄猫传媒 wireless network and sends an email using their personal email account. The content of the email is not discoverable by 小黄猫传媒 IT.
    2. Example: A student connects their smartphone to the 小黄猫传媒 wireless network and does a banking transaction. The content of the banking transaction is not discoverable by 小黄猫传媒 IT.
    3. Example: 小黄猫传媒 is required to perform eDiscovery for a legal case. Data stored on personal devices connected to the 小黄猫传媒 wireless network (e.g. personal laptops, smart phones, etc.) or data stored in third party sites (e.g.: Dropbox) are not discoverable by 小黄猫传媒 IT.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Policy violation

  1. Violation of this policy may result in disciplinary action in accordance with 小黄猫传媒 People, Strategy, Equity, and Culture (PSEC) and/or Student Conduct guidelines.
  2. 小黄猫传媒 reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
  3. Anyone who violates this policy may be held liable for damages to 小黄猫传媒 assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
  4. 小黄猫传媒 reserves the right to deactivate any user鈥檚 access rights (whether or not the user is suspected of any violation of this policy) when necessary to preserve the integrity of IT resources.

Complaint procedures

Report non-security-related violations (such as receipt of inappropriate content, other People, Strategy, Equity, and Culture (PSEC) policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, PSEC, or EthicsPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing standards, policies, and guidelines

None.

Definitions

  • Chief Information Officer (CIO)
    Senior manager of the Information Technology (IT) Department and a member of Cabinet.

    • At 小黄猫传媒, the CIO is responsible for all technology, with the exception of:
      • Online Learning (Academic Affairs)
      • Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
      • Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
  • Chief Information Security Officer (CISO)
    Senior manager responsible for information security compliance at 小黄猫传媒.
  • Cloud Computing
    A general term for the delivery of hosted computing services over the internet.

    • Cloud computing enables companies to consume a compute resource, such as a virtual machine (VM), storage, or an application, as a utility service.
    • 小黄猫传媒鈥檚 Google 鈥淕-Suite鈥 environment (that supports gmail, Google Drive, etc.) is a Cloud service. The students鈥 PantherHub is another example of Cloud technology.
  • Controlled Sensitive Data (CSD)
    A general categorization that is used in 小黄猫传媒鈥檚 Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

    • CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which 小黄猫传媒 is liable if publicly disclosed.
  • Credentials
    In the context of authentication, the term 鈥渃redential鈥 refers to a key that uniquely identifies a user to a system. A credential is most commonly in the form of a 鈥渦ser name and password鈥 authentication token that is bound to a particular user. Some other examples of credentials are biometric identifiers (e.g. thumbprint scan) and digital identification mechanisms such as smartcards and multi-factor authentication.
  • IT Resource
    (At 小黄猫传媒) All Information Technology (IT) resources that are the property of 小黄猫传媒 and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

    • IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
  • Network
    (In IT) The technology that carries messages between one computer and another.

    • A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.
    • End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) 鈥 but can also be technology such as machine controllers, audio/visual devices, etc.
    • The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).
  • Third Party
    (In Information Technology [IT]) A vendor. Can be applied to any vendor (鈥渢hird party provider鈥), but mostly used regarding 鈥渧endor software鈥 to distinguish it from software developed 鈥渋n house.鈥
  • User
    Any person who makes any use of any 小黄猫传媒 IT resource from any location (whether authorized or not).

Responsible executive

Chief Information Officer

Responsible officer

Chief Information Security Officer (CISO)

Responsible office

Information Technology Department

Last revision date

09-09-2024