Policies

central home / Policies / Employee Policies / Acceptable Use Of Information Technology Resources

Acceptable Use Of Information Technology Resources

Overview

The Acceptable Use of Information Technology Resources Policy sets expectations for the secure, ethical, and responsible use of Central College technology by all users. It defines user responsibilities, safeguards for confidential information, appropriate access and behavior standards, and the College’s authority to manage and monitor its systems in support of its mission and legal compliance.

Definitions

Cloud Services: Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Common examples of cloud computing applications are Microsoft Office 365, Dropbox, Facebook, Google Drive, Salesforce, and Box.com.

Confidential Information: Confidential Information is information protected by statutes, regulations, Central College policies or contractual language. Information Owners may also designate Information as Confidential. Confidential Information is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only. Disclosure to parties outside of Central College must be authorized by Information Technology Services (ITS) and/or General Counsel, or covered by a binding confidentiality agreement.

Information Resource: An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can be stored in many forms, including: hardware assets (e.g. workstation, server, laptop) digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which the information is transmitted, it always needs appropriate protection.

 Information Security: the practice of protecting information by mitigating risks to the confidentiality, integrity, and availability of information by means of administrative, physical, and technical security controls.

 Internal Information: Internal Information is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Information is information that is restricted to personnel designated by Central College, who have a legitimate business purpose for accessing such Information.

Mobile Device: Computing devices that are intended to be easily moved and/or carried for the convenience of the user, and to enable computing tasks without respect to location. Mobile devices include, but are not necessarily limited to mobile phones, smartphones, tablets, and laptops.

Need to Know: a term used to describe the restriction of data or systems which are considered very sensitive. “Need to know” is used to describe the requirement that a person have a legitimate purpose for accessing data or systems regardless of their clearance level or access permissions.

 Personally owned: Systems and devices that were not purchased and are not owned by Central College.

Remote wipe: a security feature that allows a network administrator or device owner to send a command that deletes some or all data located on a computing device without having possession of it.

 Removable media: Portable devices that can be used to copy, save, store, and/or move Information from one system to another. Removable media comes in various forms that include, but are not limited to, USB drives, flash drives, read/write CDs and DVDs, memory cards, external hard drives, and mobile phone storage.

 Security Awareness: the knowledge and perception members of an organization possess regarding the protection of the physical and informational assets of that organization.

 

Responsibilities

Chief Information Officer is responsible for providing interpretation of this and other related policies and disseminating related information.

Information Security Committee regularly meets and advises the Chief Information Officer on matters related to information security.

Information Technology Services (hereinafter “ITS”) is charged with providing the information system infrastructure of the College. Prior approval from ITS is required to utilize an information system infrastructure other than the one maintained by ITS.  Users of such systems must self-identify their information system infrastructure inventory with ITS on an annual basis, or upon ITS request.

Users of the College’s information resources are responsible for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.

Supervisors and Faculty are responsible for ensuring their teams and students are aware of and adhere to this policy.

 

Policy Details

The purpose of the Acceptable Use of Information Technology Resources Policy (“Policy”) is to establish rules and expectations for the responsible and secure use of Central College’s (“College”) information technology resources. These resources include computers, networks, software, email systems, internet access, mobile devices, and any other systems or devices that store, process, or transmit college information.

This policy applies to all users, including faculty, staff, students, contractors, visitors, and any other individuals granted access to college technology resources, whether on campus or remotely.

Central College is the official owner of its technology resources, and the College reserves the right to deny use to those who do not use them responsibly. The College provides these resources to support its mission of teaching, learning, research, scholarship, and administrative operations. Users are expected to use these resources ethically, responsibly, and in compliance with all applicable laws and college policies. We expect all users to meet the highest standards of ethics and responsibility.

One’s use of technology must not infringe upon the rights of other users, interfere with the normal operation of computing systems and software, or consume an unfair share of system resources.

Central College reserves the right to protect itself from liabilities posed by the electronic behavior of users of College resources if behaviors are illegal or violate College policies.

 

Scope

This policy covers all information technology resources owned, leased, managed, or operated by the College. Personal use of technology is permissible to access college systems or data as long as it does not interfere with other appropriate uses or violate other college policies. It applies to the use of all college resources on or off campus.

 

Academic Freedom and Free Expression

The College supports academic freedom and the free exchange of ideas. This policy is not intended to restrict legitimate academic inquiry, teaching, research, or protected speech. However, users must ensure that their use of technology resources does not violate laws, college policies, or the rights of others.

 

Authorized Users

Access to college technology resources is granted to current faculty, staff, students, and authorized affiliates. Limited access may be provided to emeriti faculty, retirees, alumni, guests, or visitors associated with official college activities.

 

Acceptable Use

Personnel are responsible for complying with Central College policies when using Central College information resources. If requirements or responsibilities are unclear, please seek assistance from the Information Technology Services (ITS).

Users must promptly report suspected security incidents, policy violations, or unauthorized access to ITS or their supervisor. Incidents include, but are not limited to:

  • Technology incidents (e.g., system failures, interruptions, or malware).
  • Data incidents (e.g., loss, theft, or compromise of college information).
  • Unauthorized access to systems or facilities.
  • Facility security incidents (i.e., damage or potentially unauthorized access to a Central College owned, leased or managed facility)
  • Policy violations.

Users should not purposely engage in activity that may:

  • Harass, threaten, impersonate, or abuse others.
  • Degrade system performance or deprive others of access.
  • Obtain additional resources beyond those allocated.
  • Circumvent Central College security measures.
  • Exploit system weaknesses (e.g., running password crackers, sniffers, or scanners).

Users must not intentionally access, create, store, or transmit offensive, indecent, obscene, or pornographic materials, except where required for legitimate academic purposes.

Incidental personal use of college information resources is permitted if it is minimal, does not interfere with work or academic duties, incurs no additional cost to the college, and complies with all policies.

Access Management and Authentication

  • Access is granted on a “need-to-know” basis.
  • Users may only use accounts, network addresses, and resources assigned to them.
  • Passwords and authentication credentials (e.g., PINs, tokens, multi-factor authentication) must be kept confidential and not shared, except in rare, approved circumstances.
  • Passwords must be strong (meeting college requirements for length, complexity, and history), unique where possible, and not reused from personal accounts.
  • Users who have reason to believe that their password has been compromised must change it immediately.
  • Lost or compromised credentials, access cards and/or keys must be reported immediately.
  • Remote access must use approved virtual private networks (VPNs).
  • Access cards and/or keys that are no longer required must be returned to physical security personnel.
  • All users must complete an approved security awareness training upon hiring/enrollment and annually thereafter.

Privacy and Monitoring

  • Information created, sent, received or stored on Central College information resources should not be considered private.
  • Central does not routinely or without cause monitor an individual’s network activity or electronic files. However, Central College owns and maintains the computer and communication technology used by its students, faculty and staff, and has the right and responsibility to periodically access files to service and repair these systems and to ensure that college policies and applicable laws are observed.
  • Privileged access by ITS staff, other system administrators and other authorized Central College personnel is limited to job-related tasks.
  • Confidential information must be handled appropriately, and users must not disclose any confidential information without authorization.

Clear Desk/Clear Screen

  • Personnel should lock or log off devices when unattended.
  • Personnel should secure confidential materials in locked storage when away from workspaces.
  • Personnel should not post passwords or leave confidential/sensitive items visible.

Data Security

  • Personnel should use approved encryption methods for confidential information in transit or at rest, per college standards. Use of encryption should be managed in a manner that allows designated Central College personnel to promptly access all data.
  • Confidential information must not be stored on unapproved cloud services or personal devices.
  • Removable media (e.g., USB drives) requires approval and encryption for college data; personally owned removable media is prohibited for college information.

Email and Electronic Communication

  • Use college email for official business; personal email accounts must not be used for confidential college matters.
  • All students and employees are required to have a Central College e-mail account and to check it regularly.
  • Auto-forwarding electronic messages to external accounts is prohibited.
  • Personal use of Central College provided email should not:
    • Involve solicitation.
    • Have the potential to harm the reputation of Central College.
    • Forward chain emails.
    • Contain or promote unethical behavior.
    • Violate local, state, federal, international laws or regulations.
    • Result in the unauthorized disclosure of confidential information.
    • Or otherwise violate any other Centra College policies.
  • All personnel are to exercise caution with links and attachments with electronic communications.
  • All personnel should use discretion to avoid disclosure of confidential or internal information in out-of-office messages.
  • Accounts must not be shared without prior authorization from Central College IT, with the exception of calendars and related calendaring functions.

Internet Use

  • Internet access is for college-related activities.
  • Prohibited activities include accessing pornographic or illegal sites, or unauthorized hacking.

Mobile Devices and BYOD

  • All mobile devices should maintain up-to-date versions of all software and applications.
  • Confidential college information should not be stored on personal devices.
  • Lost or stolen devices used for college access must be reported immediately.
  • The college may remotely wipe college data from approved devices if needed.
  • Texting/emailing while driving on college business or using college devices is prohibited.

Hardware and Software

  • All hardware connected to college networks and software installed on college devices must be approved and managed by ITS.
  • Personally owned devices must comply with minimum security standards.
  • All Central College assets taken off-site should be physically secured at all times.
  • Family members or unauthorized persons may not use college resources.
  • For IT purchases, see the Hardware Purchasing Policy and Software Purchasing Policy.

Physical Security

  • Piggy-backing, tailgating, door propping and any other activity to circumvent door access controls are prohibited.
  • Photographic, video, audio, or other recording equipment, including but not limited to cameras and cameras in mobile devices, are prohibited in secured areas.
  • Visitors accessing controlled areas must be escorted by authorized personnel.

Copyright and Intellectual Property

  • Users must comply with U.S. copyright law, fair use guidelines, and the TEACH Act for distance education.
  • Users must respect copyrights, patents, trademarks, and software licenses. Unauthorized copying, distribution, or use of protected materials (including peer-to-peer file sharing of copyrighted content) is prohibited.

 Artificial Intelligence or Large Language Models (LLM)

  • Do not disclose or share any confidential or sensitive information when interacting with Artificial Intelligence (AI) or Large Language Model (LLM) technologies.
  • Usage must adhere to all relevant laws, regulations, and industry standards, such as data protection and privacy regulations (e.g., GDPR, CCPA) and financial industry guidelines (e.g., PCI DSS).
  • Exercise caution when relying on AI and LLM responses for critical decisions or actions. Use these models as a support tool rather than a sole source of information.
  • Users are responsible for checking the accuracy of any work or output produced when using AI or large language model technologies.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Reports of violations should be made to ITS, a supervisor, Human Resources, or the appropriate dean/vice president.

 Waivers

Exceptions to this policy may be granted through a formal waiver process reviewed by ITS and appropriate leadership.

References

Other related college policies include Data Classification, Incident Management, Information Security.

Contact

Questions about this policy should be directed to the Chief Information Officer or Information Technology Services.

 

Last Revision Date: 2/20/2026

Policy Owner: Information Technology Services