SP 6-10a – Acceptable Use of Information Assets Procedure
Colorado Community College System / System Procedure
SP 6-10a
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy; Board Policy (BP) 3-125; Electronic Communication Policy; System Procedure (SP) 6-10b Access and Authentication; System Procedure (SP) 6-10s, Remote Access
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents the acceptable use of Information Assets at the Colorado Community College System and its Colleges (“CCCS”) and is implemented to protect CCCS’s faculty, staff, students, partners and the institution from internal and external exposures, illegal or harmful actions including compromise of systems and services, legal issues, financial loss, and damage to reputation by individuals, either knowingly or unknowingly.
On an annual basis, employees shall be required to read and sign the Acceptable Use of Information Assets Agreement that indicates their understanding and acceptance of this procedure.
APPLICATION
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
DEFINITIONS
Information Asset
An information asset is a body of CCCS information, defined and managed as a single unit so that it can be understood, shared, protected and used effectively. Information assets have recognizable and manageable content, value, risk, and lifecycles. Information assets also include Information Systems and non-digital or physical assets which contain CCCS Information.
Information System
An information system is a discrete set of CCCS resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. An information system does include CCCS data.
Incident
An incident is an event that, as assessed by the System Information Technology (“IT”) Department (“System IT”), the College IT Department (“College IT”) or System Vice-Chancellor for Information Technology, violates the Acceptable Use of Information Assets System Procedure; violates another CCCS procedure, standard, or code of conduct; or threatens the confidentiality, integrity, or availability of Information Systems or Assets. If there is a difference of opinion, the System Vice Chancellor for Information Technology shall make the final determination of a CCCS breach.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Faculty/Staff/Instructors/Volunteers/Student Workers (“Users”)
- Users are permitted to access, use, and disclose CCCS Information Assets only as necessary to perform their job function and only for work related purposes. This responsibility continues after an employee’s employment with CCCS terminates.
- CCCS Information Systems are owned by CCCS and have been made available to employees for the purpose of furthering CCCS’s educational goals and objectives. Employees’ personal use of the CCCS Information Systems is permitted as long as such use is occasional in nature, does not interfere with an employee’s job performance, is not offensive, disruptive, illegal or harmful, discriminatory, harassing or in violation of any applicable CCCS policy or procedure.
- CCCS Information Systems cannot be utilized for personal profit or gain.
- Employees are not to consider use of the CCCS Information Systems and Assets, including but not limited to telephones, mobile phones, email, and internet access, as confidential and/or private. CCCS reserves the right to monitor employee use of its Information Systems.
- Employees shall safeguard CCCS related information. Employees shall not store CCCS restricted or sensitive data on unencrypted local hard drives or unencrypted removable electronic media.
- Employees are prohibited from taking pictures or recordings of restricted or sensitive information (as defined in the Data Classification and Handling Procedure), without authorization.
- Employees are required to protect restricted or sensitive information from being viewed by unauthorized individuals.
- Employees shall not use CCCS Information Systems to perform activities that would violate local, state, federal, or international laws.
- Employees are prohibited from sharing unlicensed versions of copyrighted material. Additionally, employees shall not use or distribute software to bypass digital copyright protections.
- Employees are prohibited from using personal email and file share accounts for CCCS purposes.
- Employees shall not attempt to circumvent security measures put in place to protect CCCS Information Systems or Assets.
- Remote access shall be restricted as outlined in Remote Access Procedure.
Non-Compliance
- Violations of this procedure may result in disciplinary action, up to and including termination for CCCS employees, expulsion for students, and dismissal for authorized volunteers, guests or visitors.
- Users who knowingly and willfully violate state or federal law for improper use or disclosure of an individual’s information are subject to criminal investigation and prosecution or civil monetary penalties.
- It is a violation of this procedure to engage in retaliatory acts against any person who reports an incident. Such acts will be subject to discipline.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.