Policy 7.1.1 —Technology Systems
Procedure 22.214.171.124 —Employee Personal Computer Use
Policy 7.1.2 —Internet and Network Acceptable Use
Policy 7.1.3 —Electronic Records Retention (cross reference policy 2.3.8)
Policy 7.1.4 —Electronic Signatures
Policy 7.1.5 —Social Media
Policy 7.1.6 —Peer-to-Peer File Sharing
Policy 7.1.7 —Digital Technology Accessibility
Policy 7.1.8 —Clean Desk Policy
Policy 7.1.9 —Information Security Plan
The College’s technology systems include technology hardware, electronic mail and other forms of electronic communications, Internet access and use of computing devices. As the owner of property and services, the College has the right to monitor activities and to access information on the College’s technology systems stored, sent, created or received by faculty, staff, students or other users. Any individual using the College’s technology systems should not expect individual privacy in their use of the technology systems including, but not limited to, the use of the College’s electronic mail system.
When using the College’s technology systems, all users shall adhere to the College’s information technology policies and procedures.
II. PUBLIC AND CONFIDENTIAL RECORDS
Unless otherwise confidential by law, records generated using the College’s technology systems are considered public records and must be maintained as public records pursuant to the College’s policies and procedures. Student education records and certain personnel information are protected by law and are confidential. For more information concerning student records, see Policy 5.4.3 – Student Records and for information concerning personnel records, see Policy 3.3.1 – Personnel Files.
Employees may not download confidential student and personnel information onto a personally owned electronic device or onto another network unless authorized by the President or Chief Information Officer.
III. EMPLOYEE USE OF TECHNOLOGY SERVICES
Employees using the College’s technology hardware, software, or systems should adhere to the following guidelines.
A. Employees shall adhere to Policy 7.2 – Internet and Network Acceptable Use Policy.
B. All computing devices, including portable computing devices such as laptops or tablets, shall
1. Use encryption or other measures to protect confidential information, including personal information, from unauthorized disclosure;
2. Be labeled with tamper-resistant tag, permanently engraved label or ID number, or both identifying the device as the College’s property;
3. Be used in compliance with all applicable security requirements for the College’s computers; and
4. Include password protection on such devices, if applicable. Applicable devices include:
• Any device used to store, transmit or receive personally identifiable information on any person.
• Any device used to store, transmit or receive confidential College information.
• Any device used to store, transmit or receive student education and/or confidential personnel records or information.
C. The College’s mobile technology equipment, such as laptops and tablets, may be used at home by College personnel provided:
1. Use of the equipment at home will not interfere with the College’s operational needs;
2. Employee has obtained supervisor approval;
3. Personnel return items to campus upon request for system maintenance, upgrades, inventory, and verification.
D. The College’s Information Technology Services Department (“ITS”) maintains all of the College’s technology equipment. ITS does not support the use and setup of the College’s technology equipment on Internet, network and computing resources that are not owned and maintained by the College.
E. The College recognizes that employees may occasionally receive personal email on College computers, use College equipment to complete an online course and for other personal reasons. Personal use of College computers and equipment is acceptable provided that employees adhere to the following:
1. Personal use may not interfere with the College’s operational needs;
2. Equipment may not be checked out solely for the purpose of personal use;
3. Users understand that data stored on College equipment or sent using College email or other communication methods is not private;
4. Users will adhere to all state and federal laws and the College’s policies and procedures;
5. Equipment or information resources are not used for illegal, malicious or obscene purposes;
6. Equipment or information resources are not used to seek or exchange electronic information or software unrelated to one’s job duties and responsibilities;
7. The College’s data and information are not shared with unauthorized individuals;
8. All software copyright and licensing laws are followed;
9. Not use College email or passwords for non-college sites (e.g., social networking sites);
10. Not share sensitive College information or student details on social networking sites.
11. Equipment is not used for any political purposes, including nonprofit activities of a political nature.
12. Equipment is not used for private or personal for-profit activities. This includes personal use for marketing or business transactions, advertising of products or services, or any other activity intended to foster personal gain. Employees may not use College equipment or information resources in pursuit of private businesses operated by the employee or in pursuit of work for other agencies, colleges or businesses.
13. Printers and photocopy machines may not be used for personal use.
Adopted: November 13, 2019
Any College employee who wants to use personally owned electronic devices on campus can do so through wireless public access. When using personally owned equipment on the College’s technology systems, employees are expected to adhere to all policies and rules regarding such use. The administration may create process and procedures regarding the approval process for an employee’s personal electronic device in order to protect the integrity of the College’s network and technology systems.
Adopted: November 13, 2019
The College strives to provide information technology access in an environment in which access is shared equitably among users. This access is intended to be used in support of the College’s research, educational and administrative purposes. College owned or operated computer resources are for the use of College employees, students and other authorized individuals. This Policy’s purpose is to protect the College’s technology users and computer resources and to ensure equitable access and proper management of these resources.
II. ACCEPTABLE USE
A. Acceptable Activity
The College’s information technology resources are intended for the use of its students, employees and other authorized individuals for purposes related to instruction, learning, research and campus operations.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, internet browsing, and FTP, are the property of Montgomery Community College. These systems are to be used for business purposes in serving the interests of the College, and of our students, staff and faculty in the course of normal operations.
Users are expected to exercise responsible, ethical behavior when using all College computer resources. This Policy makes no attempt to articulate all required or prohibited behavior by users of the College’s computer resources.
“Authorized Individual” shall mean any person, other than a student or employee, granted permission to access the College’s network or allowed to use the College’s information technology resources. Authorized Individuals are expected to adhere to this and other College policies when accessing the College’s network and information technology resources.
B. Unacceptable Activity
Unacceptable activity includes, but is not limited to, the following:
1. Deliberately downloading, uploading, creating or transmitting computer viruses, malware, or other software intended to harm a computer or the College’s network.
2. Destroying or modifying directory structures or registries or interfering or tampering with another individual’s data or files.
3. Developing programs that infiltrate a computer or computing system, harass other users and/or damage software.
4. Attempting to obtain unauthorized computer access or privileges or attempting to trespass in another individual’s work.
5. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
6. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
7. Using another person’s password or sharing of one’s own password (users should not share their password with anyone and those who choose to do so are responsible for the outcomes resulting from the use of their password).
8. Storing sensitive and protected data unsecured on non-approved solutions including third-party hosted solutions and local mediums such as USB flash drives and portable hard drives
9. Committing any form of vandalism on equipment, communication lines, manuals or software, or attempting to defeat or circumvent any security measures or controls.
10. Consuming food and/or beverages in computer labs, computer classrooms, library or in any other areas, unless otherwise authorized.
11. Wastefully using finite resources such as large amounts of bandwidth including but not limited to, downloading music, television shows, software programs, and/or movies.
12. Connecting personal network devices on the College’s wired network. Connecting unsanctioned products (software or hardware) to the Collegenetwork or installing products for personal use. Special provisions may be made for visiting artists, lecturers, auditors and trainers at the discretion ofthe Director of Information Technology. Information Technology support staff can offer assistance in gaining network access under these special circumstances, but the College cannot guarantee functionality and assumes no responsibility for configuration of or damage to non-college equipment.
13. Using the College’s computer resources and Network to engage indisruptive, threatening, discriminatory or illegal behavior or behavior that violates the Code of Student and/or Employee Conduct.
14. Using a College computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
15. Disclosing confidential student or personnel information to unauthorized third parties;
16. Violating copyright laws and/or fair use provisions through: a) illegal peer-to-peer file trafficking by downloading or uploading pirated or illegal material including, but not limited to, software and music files; and b) reproducing or disseminating Internet materials, except as permitted by law or by written agreement with the owner of the copyright;
17. Other activities that interfere with the effective and efficient operation of the College or its Network or activities that violate the College’s Policies and Procedures.
18. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Montgomery Community College.
III. RESERVATIONS OF RIGHTS AND LIMITS OF LIABILITY
A. The College reserves all rights in the use and operation of its computer resources, including the right to monitor and inspect computerized files or to terminate service at any time and for any reason without notice.
B. The College makes no guarantees or representations, either explicit or implied, that user files and/or accounts are private and secure. No right of privacy exists in regard to electronic mail or Internet sessions on the College Network or College-owned hardware.
C. The College is not responsible for the accuracy, content or quality of information obtained through or stored on the College Network.
D. The College and its representatives are not liable for any damages and/or losses associated with the use of any of its computer resources or services.
E. The College reserves the right to limit the allocation of computer resources.
F. The College makes efforts to maintain computer resources in good working condition but is not liable for damages incurred by loss of service.
G. College funds may not be used to purchase personal network access or products.
H. The College shall not be liable legally, financially or otherwise for the actions of anyone using the Internet through the College’s network or College’s computers.
IV. WIRELESS INTERNET ACCESS
The College provides free wireless Internet access. Users of wireless access must abide by the Wireless Internet Access Guidelines and this Policy. Connection to the wireless network at any given time is not guaranteed. The College does not accept liability for any personal equipment that is brought to the College and, therefore, may not assist with configuration, installation, trouble-shooting or support of any personal equipment.
V. ELECTRONIC MAIL
The College provides free electronic mail accounts to certain College employees based on job responsibilities, as determined by the employee’s appropriate Vice President, and to all students who are enrolled in a curriculum or continuing education program. The use of College-provided electronic mail accounts must be related to College business, including academic pursuits. Incidental and occasional personal use of these accounts is acceptable when such use does not generate a direct cost to the College or otherwise violate the provisions within this Policy.
The College will make reasonable efforts to maintain the integrity and effective operation of its electronic mail systems, but users are advised that those systems should in no way be regarded as a secure medium for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, the College cannot assure the privacy of an individual’s use of the College’s electronic mail resources or the confidentiality of particular messages that may be created, transmitted, received or stored.
A. Unacceptable Activity
1. The College email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any College employee should report the matter to their supervisor immediately.
2. Employees are prohibited from automatically forwarding College email to a third party email system. Individual messages which are forwarded by the user must not contain College confidential information.
3. Employees are prohibited from using third-party email systems and storage servers such as Hotmail, Yahoo, etc. to conduct College business, to create or memorialize any binding transactions, or to store or retain email on behalf of the College. Such communications and transactions should be conducted through proper channels using College approved documentation.
4. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
5. Unauthorized use, or forging, of email header information.
College officials do not routinely monitor electronic mail but may do so as the College deems necessary. The College may use software to monitor electronic mail for certain safety protocols. Students and employees should not have any expectation of privacy regarding their electronic mail addresses provided by the College. The electronic mail sent and received, on a College-provided e-mail account is the exclusive property of the College. Any user of the College’s computer resources who makes use of an encryption device shall provide access when requested to do so by the appropriate College authority. The College reserves the right to access and disclose the contents of employees’, students’ and other users’ electronic mail without the consent of the user. The College will do so when it believes it has a legitimate business or need including, but not limited to, the following:
A. In the course of an investigation triggered by indications of misconduct or misuse;
B. As needed to protect health and safety of students, employees or the community at large;
C. As needed to prevent interference with the College’s academic mission;
D. As needed to locate substantive information required for College business that is not more readily available;
E. As needed to respond to legal actions; and
F. As needed to fulfill the College’s obligations to third parties.
Electronic mail, including that of students, may constitute “educational records” as defined in the Family Educational Rights and Privacy Act (“FERPA”). Electronic mail that meets the definition of educational records is subject to the provisions of FERPA. The College may access, inspect and disclose such records under conditions set forth in FERPA. North Carolina law provides that communications of College personnel that are sent by
electronic mail may constitute “correspondence” and, therefore, may be considered public records subject to public inspection under the North Carolina Public Records Act. Electronic files, including electronic mail, that are considered public records are to be retained, archived and/or disposed of in accordance with current guidelines established by the North Carolina Department of Cultural Resources or otherwise required by College
VI. PRIVATE EMPLOYEE WEBSITES AND OTHER INTERNET USE
When creating or posting material to a webpage or other Internet site, including social media, apart from the College’s website or approved ancillary external site or page, employees should remember that the content may be viewed by anyone including community members, students and parents. When posting or creating an external website, students, faculty and staff are not permitted to use the College’s name in an official capacity or use the College’s marks, logos or other intellectual property.
Employees are to maintain an appropriate relationship with students at all times. Having a public personal website or online networking profile or allowing access to a private website or private online networking profile is considered a form of direct communication with students. Any employee found to have created and/or posted content on a website or profile that has a negative impact on the employee’s ability to perform his/her job as it relates to working with students and the community or that otherwise disrupts the efficient and effective operation of the College may be subject to disciplinary action up to and including dismissal.
Each individual is ultimately responsible for his/her own actions. For employees, failure to exercise responsible, ethical behavior will result in disciplinary action up to and including dismissal. Students may be sanctioned according to procedures described in the Code of Student Conduct and other users may be barred permanently from using College computers and network access and suspended or expelled.
Certain activities violate Federal and/or State laws governing use of computer systems and may be classified as misdemeanors or felonies. Those convicted could face fines and/or imprisonment.
Adopted: November 13, 2019
This Policy governs the College’s retention of electronic records, including electronic mail (“email”) and instant messages. The Policy is intended to provide guidance on the need for retention of electronic records and messages sent and received by College employees. The College will retain and destroy electronic records, including email and instant messages, in accordance with this Policy, the State Guidelines for Managing Trustworthy Digital Public Records, and the approved Record Retention and Disposition Schedule (“the Schedule”) for community colleges adopted by the North Carolina Department of Cultural Resources and the North Carolina Department of Community Colleges. For the purposes of this Policy, the term “electronic records” is defined to include electronic mail and instant messages.
This Policy will be reevaluated every five (5) years, or upon the implementation of a new information technology system, and will be updated as required.
II. NORTH CAROLINA PUBLIC RECORDS ACT
Electronic records made or received in connection with the transaction of public business are public records pursuant to the North Carolina Public Records Act, as defined by the North Carolina Public Records Act, N.C.G.S. § 132-1 et seq. Examples of electronic records that are public records include, but are not limited to: messages that include information about policies or directives, official business correspondence, official reports, or material that has historic or legal value.
Public records, including electronic records, may not be deleted or otherwise disposed of except in accordance with the Schedule. The content of the electronic record determines its retention requirement.
The content of the email, not the method or device in which it was sent, dictates whether the email is a public record. For example, if an employee has work email on his private, personal email account, that email remains a public record. For this purpose, employees are strongly encouraged to use only their work email address for work emails. In the event that an employee, however, does have work emails on their personal email accounts, they are responsible to properly maintain the email and, if necessary for retention purposes, transfer the email to another medium for proper retention.
III. ELECTRONIC RECORDS CUSTODIAN
Because electronic messages can be sent and forwarded to multiple people, copies of the messages may exist in the accounts of multiple users. In most cases, the author, or originator, of the electronic message is the legal custodian and is responsible for maintaining the “record” copy. However, cases in which the recipient has altered the message (made changes, added attachments, etc.), or when the message is coming from outside the college; the recipient is the one responsible for retaining the message.
When the custodian of an electronic message leaves the employment of the College, it is the responsibility of the supervisor to ensure all public records remaining on the computer and in the messaging account are retained or disposed of appropriately. The College additionally stores all email and instant messages as a fail-safe archive in the event of system failure or unlawful tampering. All messages which are sent or received using the College’s email and instant messaging system are copied and retained by this system for (5) five years. This storage mechanism is intended as a safety measure and does not replace the individual employee’s legal responsibility for retaining and archiving electronic messages in accordance with the state of North Carolina’s record retention laws.
IV. TYPES OF ELECTRONIC MESSAGES
For retention purposes, email messages generally fall into the following two categories: A. Email of limited or transitory value. For example, a message seeking dates for a meeting has little or no value after the meeting. Retaining such messages serves no purpose and takes up space. Messages of limited or transitory value may be deleted when they no longer serve an administrative purpose.
B. Email containing information having lasting value. Email is sometimes used to transmit records having lasting value. For example, email about interpretations of an agency’s policies or regulations may be the only record of that subject matter. Such records should be transferred to another medium and appropriately filed, thus permitting email records to be purged.
V. PROCEDURES FOR COMPLIANCE
While the methods for reviewing, storing or deleting electronic records may vary, compliance with the retention requirements may be accomplished by one of the following:
A. Retention of Hard Copy. Print the record and store the hard copy in the relevant subject matter file as would be done with any other hard-copy communication.
B. Electronic Storage of records and email. Electronically store the record or email in a file, on a disk or a server so that it may be maintained and stored according to its content definition under this Policy.
VI. LITIGATION HOLD
A litigation hold is a directive not to destroy electronic records, including email, which might be relevant to a pending or imminent legal proceeding. The President may establisha committee to oversee and monitor litigation holds; such committee may contain a member of the Technology Department, the College’s legal counsel and a member of the Administrative Team. In the case of a litigation hold, the committee shall direct employees and the Technology Department, as necessary, to suspend the normal retention procedure for all related records.
VII. OUTSIDE INSPECTION
The College recognizes the judicial system may request pretrial discovery of the information technology system used to produce records. The College will honor requests for outside inspection of the system and testing of data by the courts and government representatives. Records must continue to exist when litigation, government investigation, or audit is pending or imminent, or if a court order may prohibit specified records from being destroyed or otherwise rendered unavailable.
VIII. RECORD DISPOSITION
Records may only be disposed of in accordance with the Schedule. Prior to the disposition of any record or record group after the applicable retention period, the records custodian will create and maintain a destruction log.
The President is authorized to adopt procedures to implement this policy.
Adopted: November 13, 2019
Amended: January 9, 2022
Legal Reference: N.C.G.S. §§ 121-5; 132-1 et seq; Records Retention & Disposition
Schedule (August 23, 2019)
Cross Reference Policy 2.3.8
It is the College’s intent to provide efficient services for its employees, students and for the public. College officials and students are encouraged to use electronic means, especially electronic mail, when conducting College business when those means result in efficient and improved service. The acceptance of electronic signatures in e-mails from college campus accounts is encouraged. An electronic signature is defined as any electronic process signifying an approval to terms, and/or ensuring the integrity of the document, presented in electronic format.
Students may use electronic signatures to register, check financial aid awards, pay student bills, obtain unofficial transcripts, update contact information, log into campus computers, complete forms, submission of class work, tests, etc. Employees may use electronic signatures for submitting grades, viewing personal payroll data, logging into campus computers, accessing protected data through the administrative computing system and custom web applications provided by the College, etc.
College user accounts are to be used solely by the student or employee assigned to the account. Users may not allow access to their accounts by other persons, including relatives or friends. All users are responsible for protecting the confidentiality of their account and for adhering to Policy 7.2 – Internet and Network Acceptable Use.
College employees are authorized to use an electronic signature to sign contracts, purchase orders, grant applications and other electronic documents to the same extent the employee is authorized to sign a hard copy of the document.
Adopted: November 13, 2019
I. COLLEGE SOCIAL MEDIA SITES
The College recognizes that social media sites are useful technologies in communicating with College constituencies and in enabling transparent communication. All of the College’s social media shall follow established procedures and shall be registered with the College’s Public Relations Department. College employees shall exercise good, professional judgment when using official College social media sites to ensure that communications are appropriate, professional, maintain the security of the College’s network and comply with local, state and federal laws and with the College’s technology security procedures. All content generated on a College-operated social media site should support the mission of the College.
College employees whose responsibility it is to operate a social media account on behalf of the College shall be responsible for monitoring discussions and content added by third-parties, including comments. The College’s Public Relations Department has the right to remove any post or comment on any social media account operated by the College. Additionally, posts made on social media sites must be ADA compliant, adhering to Web Content Accessibility Guidelines 2.0 Level AA (WCAG 2.0 AA). Employee administrators of social media sites must attend annual training regarding ADA compliance.
Social media accounts may be deactivated by the College’s Public Relations Department due to non-use or non-compliance with the College’s overall mission or goals. Social media accounts controlled by the College are subject to records retention regulations.
II. EMPLOYEE’S PRIVATE SOCIAL MEDIA SITES
When creating or posting material to a webpage or other Internet site apart from the College’s website or approved ancillary external site or page (i.e., social media site), employees should remember that the content may be viewed by anyone including community members, students and parents. When posting or creating an external website, students, faculty and staff are not permitted to use the College’s name in an official capacity or use the College’s marks, logos or other intellectual property.
Employees are to maintain appropriate relationships at all times with students and members of the public. Having a public personal website or online social media profile or allowing access to a private website or private social media profile is considered a form of direct communication with students and members of the public. Any employee found to have created and/or posted content on a website or profile that has a negative impact on the employee’s ability to perform his/her job as it relates to working with students and the community or that otherwise disrupts the efficient and effective operation of the College may be subject to disciplinary action up to and including dismissal.
III. Social Media Sites and Blogging
1. Blogging by employees, whether using the College’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy.
2. The College’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any Montgomery Community College confidential or proprietary information, or any other material covered by the College’s Confidential Information policy when engaged in blogging.
3. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of the College and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by the College’s Non-Discrimination and Anti-Harassment policy.
4. Employees may also not attribute personal statements, opinions or beliefs to the College when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of the College. Employees assume any and all risk associated with blogging.
Adopted: November 13, 2019
HEOA sets requirements higher education to address illegal peer-to-peer (“P2P”) file sharing occurring on College networks. Illegal P2P file sharing is downloading, also known as copying and/or saving, copyrighted material to a hard drive or any other storage device and/or sharing or making it available to other people without the consent of the copyright holder.
P2P applications are used to legitimately share digital content. However, P2P applications can expose the College and individual users on the College’s network to legal liabilities when illegal file sharing occurs. P2P applications can also present a security risk because a downloaded file may actually contain a virus or a malicious program that could target and infect other machines on the network, impact the performance of the network and compromise sensitive/confidential information. The purpose of this Policy is to inform the College community on preventive measures that will help avoid legal liability and security risks resulting from illegal file sharing. This Policy applies to any individual using the College’s computer network.
Individuals using the College’s computer network will be held accountable for adhering to the following terms and conditions:
B. Delete unauthorized copyrighted material from your electronic device (i.e.computer, tablet);
C. Use a legal alternative to unauthorized downloading. The College does not endorse a particular product or service nor is it responsible for any cost or any technology related issues resulting from the use of the legitimate sources;
D. Disable the file sharing feature for P2P software if you do not have permission to share the digital material (i.e., documents, movies, games, etc.) legally; contact the software vendor for technical support;
E. Follow the P2P vendor’s best practices for securing the computer used for P2P activity (i.e., anti-virus software, a vendor supported operating system, personal firewall, current version of P2P application, etc.); the Federal Trade Commission1 also has P2P best practices; and
F. For College-owned assets, P2P software can only be used to promote the College’s mission, academic and business needs. Where applicable, P2P software is not allowed on machines that process and/or store confidential/sensitive data. The personal use of P2P applications on College-owned assets for recreational and leisure purposes is prohibited.
Enforcement of this Policy shall include:
A. Disclosure to students on an annual basis which shall include legal alternatives to illegal file sharing;
B. Monitoring network traffic and limiting network bandwidth; and
C. Implementing other technology-based deterrents as needed.
In addition to employment and student discipline issued by the College in accordance with applicable policies and procedures (up to and including dismissal/suspension), individuals cited for unauthorized use may be subjected to civil and/or criminal damages such as monetary damages and potential prison time. According to the US Copyright Office2, monetary damages can range from $200 to $150,000 for each act. Criminal prosecutions may result in a fine of up to $250,000 and a prison term of up to five (5) years for each act.
Adopted: November 13, 2019
Amended: January 9, 2022
Legal Reference: 20 U.S.C. §1092, §1094
Cross Reference: Policy 7.2
The College is committed to taking reasonable measures to support the accessibility of its audio, visual, telecommunications and web-based technologies (“Digital Technology”) for use by students, employees and/or the general public. Students who seek an accommodation for Digital Technology should contact Counseling Services. Employees who seek accommodations should contact the College’s Human Resources office.
Undue burden and non-availability may qualify as an exemption from this Policy when compliance is not technically possible or is unreasonably burdensome in that it would require extraordinary measures due to the nature of the request or would fundamentally alter the purpose of the Digital Technology.
When conducting core academic and business activities using web content, the College shall make a good faith effort to align the web content with the guidelines of the most current version of Web Content Accessibility Guidelines 2.0 Level AA (WCAG 2.0 AA).
Adopted: November 13, 2019
Legal Reference: Americans with Disabilities Act of 1990, as amended.
The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our students and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.
A clean desk policy can be an important tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation.
This policy applies to all Montgomery Community College employees and affiliates.
1. Employees are required to ensure that all sensitive/confidential information in hard copy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
2. Computer workstations must be locked when workspace is unoccupied.
3. Computer workstations must be logged out completely at the end of the work day.
4. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
5. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
6. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
7. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
8. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
9. Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
10. Whiteboards containing Restricted and/or Sensitive information should be erased.
11. Lock away portable computing devices such as laptops and tablets.
12. Treat mass storage devices such as portable hard drives or USB drives as sensitive and secure them in a locked drawer.
13. All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
III. POLICY COMPLIANCE
Compliance verification of this policy will be completed through various methods, including but not limited to, periodic walk-thrus, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved in advance by the CIO.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Adopted: November 13, 2019
In accordance with the Gramm-Leach-Bliley Act (“GLBA”), 16 CFR Part 314, Montgomery Community College implements and maintains a comprehensive written Information Security Plan (“ISP”) and appoints a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.
II. INFORMATION SECURITY PLAN
This Information Security Plan (“Plan”) describes safeguards implemented by the College to protect covered data and information in compliance with the FTC’s Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:
This Information Security Program also identifies mechanisms to:
III. INFORMATION SECURITY PROGRAM COORDINATOR(S)
The Vice President of Administrative Services and the Dean of Technology & Learning Resources serve as the coordinators of this Program at MCC. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information, and implementing procedures to minimize those risks to the College. Designated staff in both areas conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and verify that all departments comply with the requirements of the security policies and practices delineated in this program.
IV. IDENTIFICATION AND ASSESSMENT OF RISKS TO CUSTOMER INFORMATION
MCC recognizes that it is exposed to both internal and external risks, including but not limited to:
Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, MCC’s Information Services Committee actively participates and monitors appropriate cybersecurity advisory groups for identification of risks.
V. EMPLOYEE MANAGEMENT AND TRAINING
References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Business Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts minimize risk and safeguard covered data and information.
VI. PHYSICAL SECURITY
MCC addresses the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to College employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.
VII. INFORMATION SYSTEMS
Access to covered data and information via the College’s computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. The college has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to the College’s information systems.
MCC adheres to best practices and standards set forth in the NC Institutional Information Processing System (IIPS) Manual prepared by the IIPS Security Standards Committee and provided to North Carolina community colleges.
Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.
VIII. OVERSIGHT OF SERVICE PROVIDERS
GLBA requires the College to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards.
IX. CONTINUING EVALUATION AND ADJUSTMENT
This information security program will be subject to periodic review and adjustment annually. Continued administration of the development, implementation and maintenance of the program is the responsibility of the designated Information Security Program Coordinator(s), who assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s) will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.
Adopted: September 8, 2021