J1: Acceptable and Responsible Use of OCC Technology and Information Systems ("Acceptable Use Policy" or "AUP")

Responsible for Maintenance: Information Technology Services

Date of Most Recent Changes: September 24, 2024

I. Purpose

OCC's ("OCC's") technology infrastructure exists to support the College in order to fulfill the College's mission. Access to these resources is a privilege that should be exercised responsibly, ethically and lawfully. 

The purpose of this AUP is to establish the minimum expectations for all employees and students at OCC. Fulfilling these objectives will enable OCC to implement a comprehensive system-wide Information Security Program.

II. Scope

This policy applies to all users of computing resources owned, managed, or otherwise provided by the College. Individuals covered by this policy include but are not limited to all Employees and Students and vendors with access to the College's computing resources. Computing resources include all OCC owned, licensed or managed hardware and software, email domains and related services and any use of the College's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

III. Privacy

Employees do not acquire a right of privacy for communications transmitted or stored on the College's resources. In response to a judicial order or any other action required by law or permitted by official OCC policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the College, the President may authorize an OCC official or an authorized agent, to access, review, monitor and/or disclose computer files associated with an individual's account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the College's rules, regulations or policy, or when access is considered necessary to conduct OCC business due to the unexpected absence of an employee or to respond to health or safety emergencies.

OCC reserves the right to protect, repair, and maintain the College's computing equipment and network integrity. In accomplishing this goal, OCC ITS personnel or their agents will do their utmost to maintain user privacy. Any information obtained by ITS personnel about a user through routine maintenance of the College's computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of OCC's computing resources.

IV. Policy

Activities related to OCC's mission take precedence over computing pursuits of a more personal or recreational nature. Any use that disrupts the College's mission is prohibited.

Following the same standards of common sense, courtesy and civility that govern the use of other shared facilities, acceptable use of information technology resources generally respects all individuals' privacy, but subject to the right of individuals to be free from intimidation, harassment, and unwarranted annoyance. All users of OCC's computing resources must adhere to the requirements enumerated below.

1. Fraudulent and Illegal Use

OCC explicitly prohibits the use of any information system for fraudulent and/or illegal purposes. While using any of the College's information systems, a user must not engage in any activity that is illegal under local, state, federal, and/or international law. As a part of this policy, users must not:

• Violate the rights of any individual or company involving information protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by OCC.

• Use in any way copyrighted material including, but not limited to, photographs, books, or other copyrighted sources, copyrighted music, and any copyrighted software for which the College does not have a legal license.

• Export software, technical information, encryption software, or technology in violation of international or regional export control laws.
• Issue statements about warranty, expressed or implied, unless it is a part of normal job duties, or make fraudulent offers of products, items, and/or services.

Any user that suspects or is aware of the occurrence of any activity described in this section, or any other activity they believe may be fraudulent or illegal, must notify his/her manager immediately.

If any user creates any liability on behalf of OCC due to inappropriate use of the College's resources, the user agrees to indemnify and hold the College harmless, should it be necessary for OCC to defend itself against the activities or actions of the user.

2. Confidential Information

OCC has both an ethical and legal responsibility for protecting confidential information in accordance with its the B20 Institutional Data Policy.  To that end, there are some general positions that the College has taken:

• The writing or storage of restricted information on mobile devices (phones, tablets, USB drives) and removable media is discouraged. Mobile devices that access confidential information will be physically secured when not in use and located to minimize the risk of unauthorized access.

• All Employees and Students and vendors will use approved workstations or devices to access the College's data, systems, or networks.  Non-College owned workstations that store, process, transmit, or access confidential information are prohibited without appropriate access and other safeguards approved by ITS.  Accessing, storage of or processing confidential information on home computers is prohibited without appropriate access and other safeguards approved by ITS.

• All OCC portable workstations will be securely maintained when in the possession of Employees and Students. Such workstations will be handled as carry-on (hand) baggage on public transport.  They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.

• All confidential information stored on workstations and mobile devices should be encrypted. 

• All Employees and Students who use College-owned workstations will take all reasonable precautions to protect the confidentiality, integrity and availability of information contained on the workstation.

• College employees and vendors who transport electronic media or information systems containing restricted information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft and unauthorized use.

• College Employees and Students will lock their screen whenever they leave their workstation unattended and will log off from or lock their workstation when their shift is complete.

  3. Harassment

OCC is committed to providing a safe and productive environment, free from harassment, for all employees. For this reason, users must adhere to College-established codes of conduct and/or policies. If a user feels he/she is being harassed through the use of the College's information systems, the user must report it in accordance with established reporting protocols.

    4. Incident Reporting

OCC is committed to responding to security incidents, College-owned information or College-owned information assets. As part of this policy:

• The loss, theft or inappropriate use of College access credentials (e.g. passwords, key cards or security tokens), assets (e.g. laptop, cell phones, desktop PC and/or peripheral equipment), or data will be reported to the AVP of ITS

• If a College Employees and Students suspects that something may be an incident, it should be reported to the AVP of ITS

• A College Employees and Students will not prevent another individual from reporting a security incident.

  5. Malicious Activity

OCC strictly prohibits the use of information systems for malicious activity against other users, the College's information systems themselves, or the information assets of other parties.

          a. Denial of Service

Users must not:

• Perpetrate, cause, or in any way enable disruption of OCC's information systems or network communications by denial-of-service methods;

• Knowingly introduce malicious programs, such as viruses, worms, and Trojan horses, to any information system; or

• Intentionally develop or use programs to infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or network.

          b. Confidentiality

Users must not:

• Perpetrate, cause, or in any way enable security breaches, including, but not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access;

• Facilitate use or access by non-authorized users, including sharing their password or other login credentials with anyone, including other users, family members, or friends;

• Use the same password for OCC accounts as for other non-OCC access (for example, personal ISP account, social media, benefits, personal email, etc.);

• Attempt to gain access to files and resources to which they have not been granted permission, whether or not such access is technically possible, including attempting to obtain, obtaining, and/or using another user's password; or

• Make copies of another user's files without that user's knowledge and consent.

• Use non-College encryption keys on College equipment.  For enforcement of functions required by this policy, any such encryption keys employed by users must be provided to ITS if requested; or,

• Base passwords on something that can be easily guessed or obtained using personal information (e.g. names, favorite sports teams, etc.).

          c. Impersonation

Users must not:

• Circumvent the user authentication or security of any information system;

• Add, remove, or modify any identifying network header information (“spoofing”) or attempt to impersonate any person by using forged headers or other identifying information;

• Create and/or use a proxy server of any kind, other than those provided by OCC, or otherwise redirect network traffic outside of normal routing with authorization; or

• Use any type of technology designed to mask, hide, or modify their identity or activities electronically.

          d. Network Discovery

Users must not:

• Use a port scanning tool targeting either OCC's network or any other external network, unless this activity is a part of the user's normal job functions, such as a member of ITS, conducting a vulnerability scan, and faculty utilizing tools in a controlled environment.

• Use a network monitoring tool or perform any kind of network monitoring that will intercept data not intended for the user unless this activity is a part of the user's normal job functions.

  6. Hardware and Software

OCC strictly prohibits the use of any hardware or software that is not approved or purchased, installed, configured, tracked, and managed by ITS. Users must not:

• Install, attach, connect or remove or disconnect, hardware of any kind, including wireless access points, storage devices, and peripherals, to any College information system without the knowledge and permission of ITS;

• Download, install, disable, remove or uninstall software of any kind, including patches of existing software, to any College information system without the knowledge and permission of ITS;

• Take OCC equipment off-site without prior authorization from ITS.

• Take a device owned by OCC to countries on a restricted list, as defined by ITS.

  7. Messaging

The College provides a robust communication platform for users to fulfill its mission. Users must not:

• Automatically forward electronic messages of any kind, by using client message handling rules or any other mechanism outside of their OCC account.  Examples include auto-forwarding email to a personal account rather than using the official OCC account.

• Send unsolicited electronic messages, including “junk mail” or other advertising material to individuals who did not specifically request such material (spam);

• Use any email or identity (e.g. e-mail address, social handle, etc.), other than the employee's College email account for any College business; or

• Create or forward chain letters or messages, including those that promote “pyramid” schemes of any type.

  8. Working Off-Premises

When working from a location other than the college offices, user must:

• Safeguard and protect any College-owned or managed computing asset (e.g. laptops and cell phones) to prevent loss or theft.

• Keep sensitive data on the OCC-hosted systems  (e.g. don't download or save copies on local machines).

• Don’t use non-OCC storage (local or web-based) for storage of OCC materials

• Keep your personal devices locked when not in use

• Always use anti-malware and anti-virus on your personally-owned devices if using them to conduct OCC business

• Always run current operating system / software (apply security patches to your devices)

• Be wary of using WiFi that you do not own: strongly prefer your mobile hotspot or your secured WiFi.  If using WiFi that you do not own, make sure that the SSID is valid before you connect and only use password-protected WiFi.

• Take reasonable precautions to prevent unauthorized parties from utilizing ITS resources or viewing OCC information that is processed, stored or transmitted.

• Only use the OCC-provided VPN when connecting to the College network.

  9. Other

In addition to the other parts of this policy, users must not:

• Use the College's information systems for commercial use or personal gain.

V. Enforcement

OCC may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of College and computer resources.

Individuals who violate any part of this policy will be subject to the College's Progressive Discipline Policy.

VI. Related Documents

• Information Security Policy

• OCC Information Security Standards

• J4 Email, Telephone, and Voice Mail Usage

• Policy L2 Copying Materials Protected By Copyright

• J2 Internet Privacy

• J3 Copyright Infringement Notice And Takedown Pursuant To The Digital Millennium Copyright Act

• B20 Institutional Data Policy

• N4 Display of Pornographic Materials

VII. Contacts