J8: Devices Connected to the College Network

Responsibility for Maintenance: Information Technology Services

Date of most recent changes: July 10, 2019

I. Policy Statement  

Devices connected to the OCC computer systems and communications networks must have adequate controls, security, and maintenance to protect the College, its computer systems and communications networks. Any computers or devices that connect to the Private OCC network must meet minimum security standards and be approved by ITS. Other devices may connect to the OCC Public Wireless. OCC does not provide technical support for the use of personal owned devices, equipment or software.

II. Reason for Policy  

The College's ability to conduct its business is dependent on reliable and secure access to its computer systems and communications networks. The OCC computer systems and communications networks and may be jeopardized by computers/workstations, servers, and other devices that are not adequately maintained or protected from virus, phishing, worm and other malicious and evolving cyber-risk and attacks.

III. Applicability of the Policy  

This policy applies to all devices connected to the OCC computer systems and communications networks.

IV. Contacts  

Subject  Office Name  Title or Position  Telephone Number  Email/URL  
 Information Technology ServicesAssistant Vice President(315)-498-2686wileyst@sunyocc.edu

V. Definitions  

Term  Definition  
DeviceA Device can be a computer/workstation, laptop, server, printer, mobile device, internet devices or any other instrument capable of connecting to and interacting with the OCC computer systems and communications networks and/or other devices on the computer systems and communications networks.
Principal UserA Principal User is an individual who is the primary user of, or the individual or group responsible for the administration of a device.
Compromised Device

For the purposes of this policy, a device is considered compromised once it has been substantiated:
1. That its security is breached and that unauthorized processes or user(s) have access to and are able to control its data and/or resources; 

2. That it has been configured in a way that could threaten, harm, or interfere with the operation, integrity, or network access of other devices; or 
3. That it is actively being used to threaten, harm, or interfere with the operation, integrity, or network access of other devices.

4. Does not meet the security standards outlined in this policy.  

Vulnerable DeviceA Device is considered vulnerable once it has been substantiated that known actions necessary to prevent it from being compromised have not been taken - despite those actions having been recommended by Information Technology Services or by entities charged by Information Technology Services to secure the OCC computer systems and communications networks.
Connected DeviceA Device is considered connected to the OCC computer systems and communications networks when it is attached:
1. To a trusted port (not requiring authentication for its use) on the network;
2. To an open Ethernet port (requiring authentication to a firewall for its use) on the network;
3. To a wireless access point (requiring authentication for its use) on the network;
4. Through an ISP via a VPN (virtual private network) session;
5. Via connections established at institutions affiliated with the College, such as Onondaga County offices; or
6. By any means that enables its access to the College network.
ServerAny computer that delivers information and software to other computers linked by a network.

VI. Procedures  

Connecting a Device to the College Network: A Principal User who connects a Device to the OCC computer systems and communications networks is responsible for assuring the Device is properly secured and protected against compromise. Specifically, any Device connected to the OCC computer systems and communications networks must (when applicable):

  1. If a Server, be housed and maintained in OCC’s IT computer room, or have received approval from IT for an alternate arrangement.
  2. Have an authorized static IP address or be appropriately registered for DHCP;
  3. Be configured to run a supported version of an operating system for which patches for newly identified security breaches are developed and distributed in a timely manner;
  4. Be configured in such a way that known vulnerabilities - such as open FTP ports and open relays - are eliminated or minimized;
  5. Be maintained in such a way that patches which close known security breaches are applied as soon as they become available;
  6. Have antivirus software installed on it that runs continuously and is updated regularly;
  7. Be scanned and determined to be free of viruses and other known compromises that may have been introduced to its operating environment;
  8. Be used for appropriate purposes related to the educational and research mission of the College or to the conduct of its legitimate business activities; and
  9. The ID and password allowing the highest level of administrative access to a server must be escrowed with IT. That is, procedures for access to the administration ID/Password for a server must be made available to IT’s Network Computing management in the event of problems or emergency.

Security Standards for Mobile Devices Connected to the OCC Network:

OCC provides a standard Public Wireless for students, employees, and visitors. Employees who connect to more secure, internal information that provides access to Restricted or Private information will use the more secure OCC Private Network.

  1. Have a non-trivial pass code with a minimum required length of four characters.
  2. If a mobile device is lost or stolen, the Helpdesk should be contacted at 498-2999 to facilitate network password changes or other security measures to prevent loss of College data.
  3. Have an inactivity timeout to automatically lock the device after a maximum of 10 minutes.

Violations: Any Principal User who violates this or other OCC policies, procedures, contractual obligations, or applicable state or federal laws, will be subject to appropriate disciplinary and legal action, including, but not limited to, the limitation or denial of access to OCC’s computer systems and communications networks. Violators may also be subject to disciplinary action, up to and including termination.

Any device to be connected to the campus network requires the knowledge and authorization of the Information Technology department. OCC does not provide technical support of personal owned device, equipment and/or software. Unprotected or corrupted devices may cause outages and compatibility issues with the OCC computing environment.

OCC reserves the right to revoke access to computer systems and communications networks for devices that fail to meet the security standards in this policy or may be considered vulnerable or compromised.  The authorized use of Onondaga Community College’s computer systems and communications networks by student, faculty, staff, and authorized visitors shall be consistent with this Policy.

Approved by the President June 29, 2009

Updated and approved by the President April 14, 2014

Updated and approved by the President June 19, 2015

Updated and approved by the President July 10, 2019