455.000 - Information Technology Services

The College shall provide an information technology infrastructure to support all instructional, administrative and student support services. The College shall manage its technological infrastructure, system, equipment and resources through a series of procedures, guidelines, rules, regulations, restrictions, and requirements. The Board shall delegate to the president or designee the authority to develop, implement and enforce all appropriate administrative procedures.

455.005 TELEPHONE SERVICES

The College provides telephone services for the purpose of conducting official activities. Local calls of a personal nature are permitted for the efficiency and welfare of the College staff. Long distance calls (calls outside the local 360 area code) may be made only for authorized business purposes. RCW 42.52.160 states that no state employee may employ or use any person, money, or property, under the employee's official control or direction, or in his or her official custody, for the private benefit or gain of the employee or another.

Students should not be permitted to use staff telephones except as directly authorized by a staff member for College business or emergency only. Pay telephones are available for personal use by students. 

Offices containing telephones should be kept locked when not under the supervision of a College staff member.

Telephone problems should be reported to Information Technology Services. If a change in telephone service or equipment is needed, a Service Request may be submitted to Information Technology Services by e-mail at techsupport@clark.edu or by calling the Help Desk at (360) 992-2425.

Cellular Phones

The College provides two options for cellular telephone service for those employees who require this service to perform their job duties and who have received approval to purchase or be reimbursed for cellular telephone service.

  1. 1. Option 1. The College provides the telephone instrument and pays the cost of the voice and data plan, if applicable, with the understanding that the telephone is to be used for business purposes only in accordance with the Executive Ethics Law.

  2. 2. Option 2. In the case of employees who wish to use their cellular service for both personal and business calls, and also wish to synchronize College e-mail and calendar data with their personal telephone instrument (smart phone), the employee purchases the telephone instrument and service plan and requests reimbursement from the College for the data service only (voice service paid by the employee).

    Employees selecting Option 2 are to request applicable government discounts at the time service is ordered.  Employees are to be reimbursed for the data plan only plus the pro rata share of applicable taxes based on the base rate of the service provided.

    Employees may seek reimbursement on a quarterly or annual basis by submitting a purchase request and attaching copies of monthly billing statements (voice plan call detail records are not required).

    Employees must request reimbursement annually at a minimum. Request for reimbursement in excess of twelve months in any fiscal year will not be honored.

    Employees who are considering Option 2 are urged to check with Information Technology Services to insure that the telephone instrument and service plan being considered is compatible with the Microsoft Exchange e-mail system. The College is not responsible for insuring compatibility between the multitude of mobile plans and the College’s Exchange e-mail service.

455.010 FAX SERVICES

College employees are not to use College FAX machines for personal/private use. FAX services may be purchased in the Bookstore.

455.015 USE OF COMPUTER SOFTWARE

Unauthorized duplication of patented or copyrighted computer software, information processing service, electronic database, software program, or electronic data, or violation of applicable software licensing agreements is strictly prohibited. The term "computer software" includes the package delivered or offered to the College but is not limited to computer programs, manuals, copyrighted accessories, data, and intellectual property.

The term "duplication" refers to the copying of material or information in any form—electronic or otherwise.

The liability for willful infringement of a copyright or violation of a software licensing agreement will lie exclusively with the person who made or ordered the unauthorized copy or violated or caused the software agreement to be violated. Clark College will assume no responsibility, will pursue all remedies available against a violator, and will not provide legal assistance to those who have violated the law or licensing agreements.

Computer users must contact the director of information technology services if there are any questions about software that is protected by copyright or licensing agreements. The director of information technology services will assist those who need help understanding full compliance with the federal and state law.

Clark College employees will not condone copyright or licensing violations by students and other employees.  Those who witness or are aware of violations of copyright law or licensing agreements should report the matter promptly to the director of information technology services. Please also see Administrative Procedure 535.075 EMPLOYEE INFORMATION TECHNOLOGY RESOURCES POLICY.

455.020 PERSONAL COMPUTER PURCHASING

In certain cases, it is necessary to buy a specific brand, model, or type of computer hardware. The user may have a unique application that prevents the consideration of different personal computers. In such cases, the user should complete a Sole Source/No Substitute form, available from Purchasing Services, and submit it with the Purchase Request.

As an example, computers within a lab area may need to be identical so that students will not be confused by different equipment; when an additional computer is bought, it is appropriate to buy a piece of equipment exactly like what is already in use.

In most cases, it is unnecessary to specify a certain brand, model, or type of computer if the user is mainly interested in the functionality of the machine. As long as the computer meets the user's functional requirements, the brand name does not matter.

Purchasing Services must have clear specifications for the equipment that is being purchased. All Purchase Requests must be accompanied by an exact list of the hardware characteristics. Among the characteristics that may be specified are:

    1. Amount of memory.
    2. Processor type and speed.
    3. Number of expansion slots.
    4. Number of disk drives.
    5. Type and size of disk drives.
    6. Number of serial ports.
    7. Number of parallel ports.
    8. Type of video card.
    9. Type of monitor, including resolution, size, color, etc.
    10. Number of slots for hard and floppy disks.
    11. Required cables.
    12. Installation.
    13. Warranty.
    14. Local vendor support.

The director of information technology services will assist users in the preparation of computer specifications and will review all Purchase Requests before they are sent to Purchasing Services. The director of information technology services is responsible for helping Purchasing Services with the analysis of vendor quotes or requests for proposals.

Whenever possible, a list of suggested vendors will accompany the Purchase Request. Whenever possible, local vendors will be used since it may be easier to obtain technical support from a company that is near the College.

The College has adopted standards for hardware and software that link to the campus local area networks.

455.022 APPLICATION SERVICE PROVIDERS

Introduction

An Application Service Provider (ASP), sometimes called a “hosted service”, is a business that provides computer-based services to customers over a communications network.  Typically, the ASP develops and maintains software applications, and supplies the servers, databases and communications equipment needed to deliver the service to the customer. The services of an ASP may be delivered over a private network but, more commonly, the Internet and the World Wide Web are used to collect, process and store customer information. The use of the Internet as a transport network provides ubiquitous access to the ASP’s application, but also poses significant data security risks.

The College will typically enter into a contract with an ASP to provide services, for which it will pay the ASP a fee. An ASP may also be loosely affiliated with the College. An ASP in this category is not generally paid by the College for the service it delivers. An example is an enterprise that uses advertising revenues to provide a free service to the College’s students. The use of any ASP that wishes to associate the service it provides with the College in any way, directly or indirectly, by reference or the use of logos, brand, etc., falls under the purview of this policy.

Scope

This policy details the requirements and procedures that must be followed by Clark College employees or contractors who wish to engage the services of an ASP. It further describes the general requirements of the ASP.

Statutory Authority

The provisions of RCW 43.105.041 detail the powers and duties of the Information Services Board (ISB), including the authority to develop statewide or interagency information services and technical policies, standards, and procedures. This policy is executed in accordance with the Washington State Department of Information Services Information Technology Security Standards.

Managing Risk

Clark College relies heavily on information technologies both in its business operations and in its instructional programs. Hosted services are increasingly used to deliver/augment instruction and for administrative or support services. By their nature, ASPs operate outside the normal internal procedures and controls of the College. Therefore, special attention must be paid to the selection and use of ASPs to effectively manage the risk associated with hosted services. Inasmuch as most ASPs collect or share data with the College, and store data on their servers or those of a subcontractor, steps must be taken to fulfill the College’s statutory obligation to provide appropriate safeguards for sensitive or confidential data. 

Project Sponsor Requirements

The ASP project sponsor, the person or organizational unit within the College requesting the services of the ASP, shall follow the ASP engagement process outlined below prior to engaging the services of an ASP.

  • The project sponsor must submit the draft project proposal to the Director of Information Technology Services for preliminary review prior to engaging the vendor community.
  • Special data security requirements apply to ASP’s that will share, collect, process and store data classified as “sensitive” or “confidential.”  See definitions at the end of this policy.
  • The project sponsor, while exploring functional requirements with a vendor or obtaining budgetary quotes, must not state or imply that the business will be awarded to the vendor. Most large projects are subject to a competitive procurement (bid process).
  • If the cost of the service being considered exceeds $10,000, including annual licensing fees and implementation costs, the project must be put out to bid unless there is compelling justification to pursue a sole-source procurement. This process generally requires the development of a Request for Proposal (RFP) document containing detailed specifications for the project. Drafting the RFP requires the involvement of Purchasing Services and Information Technology Services. The project sponsor must allow a minimum of 90 days from the date of Executive Cabinet approval until the awarding of a contract. 
  • A contract between the College and the ASP must be written detailing the terms and conditions of the service engagement. This contract must be reviewed by the director of operations and auxiliary services and approved by the vice president of administrative services.
  • ASP project proposals, including budgetary estimates, must be approved by the project sponsor’s representative on the Executive Cabinet of the College prior to initiating the RFP process or engaging the services of an ASP.

 Application Service Provider Requirements

  • If the ASP will be sharing, collecting, or storing “sensitive” or “confidential” information, the ASP must comply with the minimum security requirements set forth in the security standard entitled Clark College IT Security Standard – Application Service Providers.
  • The ASP security standard requires the vendor to provide a detailed description of the hosted service environment and to certify that the ASP complies with the requirements of the standard. The College cannot do business with vendors who are unable or unwilling to certify compliance with this security standard.
  • It is anticipated that the ASP security standard will change over time as new requirements and/or threats are identified. Vendors are required to re-certify compliance with the standard including any revisions or additions at the time of the contract renewal.
  • Vendors are required to sign a contract detailing the terms and conditions of the service engagement. The College will not accept standard vendor contracts but will negotiate the terms of the contract with the vendor. 

Enforcement

Employees who intentionally violate the provisions of this policy are subject to disciplinary action in accordance with established College policy and/or negotiated agreements.

Definition of Data Classes

The following definitions are used to classify data for security purposes:

Normal:  The least restrictive class of data.  Although it must be protected from unauthorized disclosure and/or modification, it is often public information or generally releasable under College procedures for processing public records requests. Examples of this class of data are: class schedules, course catalogs, general ledger data, and employee demographic statistics.

Sensitive:  This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are:  peoples’ names in combination with any of the following: driver’s license numbers, birth date, employee ID number (EID), address, e-mail addresses, telephone numbers. Also included are: agency software source code or object code, agency security data, education records including papers, grades, and test results, or information identifiable to an individual that relates to any of these types of information.

Confidential: This class includes passwords, Social Security Numbers (SSN), credit card numbers, expiration dates, PINs, and card security codes, financial profiles, bank routing numbers, medical data, law enforcement records. All data classified as Confidential shall be encrypted in storage and in transit. Access to these elements are tightly controlled and audited.

New Policy/Procedure Approved by Executive Cabinet
October 12, 2010

455.025 USE OF REMOTE DESKTOP PROTOCOL

Introduction

Remote Desktop is a software tool that allows a technician to logon to a user’s machine from a remote location for the purpose of performing routine maintenance and troubleshooting tasks. Without Remote Desktop a technician must be physically present at the location of the affected computer and logon to a user’s computer using an administrator username and password in order to perform maintenance activities.

In order for Information Technology Services to provide outstanding service to the College community, it is necessary that Information Technology Services personnel use modern tools to install software and troubleshoot computer issues in the most efficient manner possible, consistent with sound security principles. This procedure is intended for maintenance and troubleshooting purposes. In all cases, this procedure will be implemented consistent with the language of the College’s approved collective bargaining agreements.

Policy

Information Technology Services technicians and systems administrators are authorized to use Remote Desktop, a remote access software tool, in accordance with the following procedure.

Procedure for Conducting Remote Desktop Sessions

  1. Whenever possible, the Remote Assistance tool will be used as an alternative to Remote Desktop.*  Where the scheduling of a Remote Assistance session is problematical or where the advanced capabilities of Remote Desktop are required to perform a maintenance or troubleshooting task, Information Technology Services technicians are authorized to use the Remote Desktop tool.

  2. Before initiating a Remote Desktop session, the technician will e-mail the affected user explaining the need for the remote session and describing the work that he/she will perform during the session.

  3. The technician will invite the user by both phone and e-mail to be present at the location of the affected computer during the remote session.

  4. If at time of initiating a remote session the computer is “locked” by the user, the technician will not “unlock” the session without the user’s permission.

  5. The technician will attempt to complete the remote session during a time that is convenient for the user (i.e., during times when the user does not need to use the computer).

  6. The technician will perform only the work described to the user in the pre-work communications and will complete the work in a timely manner.

  7. The technician will notify the affected user by e-mail within 24 hours summarizing the work performed during the Remote Desktop session on a user’s computer and will at all times abide by the Clark College Systems Administrator Code of Ethics.

*Remote Assistance is a software tool similar to Remote Desktop where the user, sitting in front of his/her computer, works interactively with a technician at a remote location to solve problems or demonstrate the use of computer features. Remote Assistance requires that the user explicitly approve the transfer of control of the user interface (keyboard and mouse) to the technician during the help session.

New Policy/Procedure Approved by Executive Cabinet
June 30, 2009

455.027 EMPLOYEE COMPUTING RESOURCES

1. Intent

It is the policy of the College to maintain access for its community to local, national, and international sources of information and to provide an atmosphere that encourages access to knowledge and the sharing of information. It is expected that College computing resources will be used by members of the College community with respect for the public trust through which they have been provided and in accordance with policy and regulations established from time to time by the College and its operating units.

2. Scope

In this policy, computing resources are defined as those computers, computer software, networks, and electronic messaging systems (e-mail, voice mail, facsimile and imaging systems) operated by or for the benefit of the students, faculty, and staff of the College. The use of these resources is a privilege, not a right.  It is the user’s responsibility to use these resources in a manner that is efficient, ethical, and legal.

All users shall strictly adhere to both the letter and spirit of this policy which is provided to ensure a predictable, secure computing environment for all users.  Failure to comply with the regulations set forth in this policy may result in loss of access to College computing resources, and administrative, civil, and criminal action under WashingtonState or federal law.

3. General Provisions

a. College computing resources are to be used only for authorized educational and business purposes. It is the obligation of College employees to be aware of the governing law, rules, and guidelines set forth in Chapter 42.52 RCW, Ethics in Public Service Act; WAC 292-110-010, Use of state resources; and Section 417030 of the Clark College Administrative Procedures manual, Ethics in Public Service. Copies of these documents may be obtained from the director of computing services.

b. If your access to computing resources is protected by a personal password, you are not to make this password available to others, or allow others to use your password-protected account, either purposefully or by omission. You may not allow someone else to give his/her password to you, or attempt to find out the password of another user, or aid such attempt by any other person. In some instances, shared accounts may be established to allow collaboration, in which case a password may be shared.

c. You may not interfere with the use of computing resources by any other authorized user, or compromise the confidentiality of the College’s internal business practices or records.

d. You may not use College computing resources to send, receive, or display information including text, images, or voice that is sexually explicit or constitutes discrimination or harassment. “Sexually explicit material” is defined in RCW 9.68.130, but exempts authorized study and research in the areas of art, health, and science. Procedures related to discrimination and harassment are specifically addressed in the Clark College Administrative Procedures manual, Sections 400, 600 and 700, and are incorporated herein.

e. You may not examine, copy, alter, rename, or delete the files or programs of another user without the user’s permission. System administrators may, as a requirement of system maintenance, delete files that are determined to be non-essential.

f. You may not forge any electronic message or engage in any other fraudulent activity using College computing resources.

g. You may not subvert or attempt to subvert, or assist others to subvert, the security of any computing resource or otherwise interfere with the legitimate operation of any computing resources, whether internal or external to the College (hacking).

h. The use of software or hardware devices designed to capture or examine network data (protocol analyzer or “sniffer”) is restricted to authorized College staff for the purpose of network maintenance and instruction. Unauthorized use of such software or hardware devices is expressly forbidden.

i. You may not use College computing resources to create, disseminate, or execute self-replicating or similar nuisance programs (e.g., virus, worm, Trojan horse, e-mail bomb, spamming), whether or not it is destructive in nature.

4. Copyrights/Patents

It is the employee’s responsibility to be informed of copyright and patent law as it applies to computer software and other materials that you may access using College computing resources. If you infringe on any material that is protected by copyright/patent without proper authorization, you may be subject to criminal and/or civil penalties. A formal copyright/patent declaration need not be in evidence for legal copyright/patent protection to be in force.

In general, the copyright to original works created by faculty members using College computing resources belongs to the faculty member except where the work is for commercial gain and involves significant amounts of state resources. Works for commercial gain that will involve significant amounts of state resources should not be undertaken until there is a written agreement that allocates ownership, profits, and costs between the faculty author and the College. 

Original works created by administrators, exempt employees, classified staff, and student employees are generally considered to be “works for hire” and the copyright to any such original works is owned by the College. Refer to Section 675.000 of the Clark College Administrative Procedures Manual for additional information related to College copyright policy.

5. External Networks and Computing Resources

If you use College computing resources to access external networks and computing resources, you agree to comply with the policies of those external networks and computing resources. Specifically, you agree to comply with the Community and Technical College Network (CTCNet) Acceptable Use Policy (http://www.ctc.edu/~ctcadmin/WCTC_Acceptable_Use_Policy.html).

6. Grievance Procedure

You may seek redress for any grievance arising out of the interpretation/enforcement of one or more provisions of this policy by following appropriate procedures detailed in Administrative Procedure 680.000 GENERAL GRIEVANCE PROCEDURE FOR ADMINISTRATORS, EXEMPT STAFF, AND CERTAIN CLASSIFIED EMPLOYEESand/or applicable negotiated agreements.

7. Administration 

All computing resource policies must be reviewed by the Information Technology Council (ITC) and approved by the Executive Cabinet before they are implemented. Substantive changes to this policy are initiated by the ITC, and an opportunity for review/comment by the user community will be provided prior to adoption. You may contact the director of computing services to communicate any comments, suggestions, or concerns that you may have related to this policy.

8. Privacy

Pursuant to the Electronic and Communications Privacy Act of 1986, Title 18, United States Code, Sections 2510 and following, notice is hereby given that there are no facilities provided by Clark College for sending or receiving confidential messages. Users must be aware that electronic messaging systems may not be secure from unauthorized access and should not be used to deliver confidential information.

Authorized College staff, with due regard for the right of privacy of users and the confidentiality of their data, have the right to suspend or modify access to computing resources, examine files, passwords, printouts, tapes, and any other material which may aid in the investigation of possible abuse. Any such investigation must be specifically authorized by the president of the College or designated representative. Whenever appropriate, the cooperation and agreement of the user will be sought in advance. Users are expected to cooperate in such investigations when requested to do so. Failure to cooperate in the investigation of possible abuse may result in suspension of access to computing resources.

9. Disclaimer

The College accepts NO RESPONSIBILITY for any damage to or loss of data arising directly from or incident to the use of Clark College computing resources, or for any consequential loss or damage therefrom. It makes representation of NO WARRANTY, express or implied, regarding the computing resources offered, or their fitness for any particular use or purpose.

10. Agreement to Comply

You implicitly acknowledge, by continued use of computing resources, your agreement to comply with all published policies governing the use of College computing resources.

Distribution lists facilitate the exchange of information between employees. Users of the College e-mail system can reduce the volume of e-mail and promote efficient use of the campus network by following these guidelines for use of the campus distribution lists.

455.030 CELLULAR DEVICES

Clark College recognizes that cellular devices, for certain personnel, are valuable tools that aid the College in conducting business in an effective and timely manner. These tools can boost employee productivity, improve service, and promote public and employee safety.

This policy governs the authorization, use, and payment for cellular devices required for business purposes by Clark College. It ensures compliance with state statutes, administrative codes and case law regarding public records retention and discovery, permissible use of state-purchased devices, and monthly allowances for employees using personal devices to conduct state business. This policy addresses cellular devices for which the College will incur ongoing costs, either because the College purchased and maintains the device or because an employee seeks an allowance for using a personal cellular device for business purposes. It also addresses employee obligations under state law regarding public records retention and discovery even when an employee uses a personal device only for occasional business purposes and does not seek an allowance from the College. This policy applies to all units and individuals at the College.

Definitions

Cellular device: A portable device with cellular communications capability and a cellular service plan such as a cell phone, smartphone, data card, cellular-enabled tablet, notebook, or any other type of device that uses cellular voice or data services. Not included in this definition are Wi-Fi-only devices (notebook computers, tablets, iPods, etc.).

College-Issued Devices

Clark College may issue cellular mobile devices to College employees based on one or more of the following job requirements:

1. The employee’s job requires field work or travel where landline phones are inaccessible or inefficient;

2. The employee’s job requires immediate or on-call availability;

3. The employee needs a cellular device for work-related safety, security, or other emergency reasons;

4. The employee’s job requires real-time communication, including email; or

5. Other requirements as defined and documented by the College.

Procedure for requesting a College-issued cellular device:

  1. Read the Clark College Cellular Device Policy and Procedure

  2. Consult with your supervisor to discuss the service plan types (i.e., voice, text messaging, data) required and the service plan limits (i.e., call minutes, data usage). Authorized plans can be reviewed at the Department of Enterprise Services website at http://des.wa.gov/services/cell-phones-and-service-plans. If you have questions or need additional assistance please contact IT Services at 360-992-2425.

  3. Complete the Cellular Device Authorization and Agreement form (found on ClarkNet) and secure the required approval.

  4. Forward completed form to the Director of IT Services (MS – BRD 017).

  5. Prepare a purchase request for the desired equipment and service plan. The purchase request should include a line item listing the monthly service plan charges from the order date through the end of the fiscal year (June 30).

  6. To continue service in subsequent years, prepare a blanket purchase request in an amount sufficient to cover the monthly charges plus a small contingency for one year. Submit the purchase request prior to the beginning of the fiscal year (July 1).

  7. If the cellular device is capable of email transmission or Internet access (i.e., smartphones and tablets), contact the IT Services Help Desk (ithelp@clark.edu or 360-992-2425) for assistance with equipment configuration.

  8. To cancel service or to change service plans, contact the IT Services Help Desk (ithelp@clark.edu or 360-992-2425).

Note: If you wish to change to a different cellular carrier and retain an existing telephone number, you must make arrangements to transport the number prior to terminating the current service. Contact IT Services for assistance with this process. Caution: cellular equipment is bound to a specific carrier and in most cases cannot be used with a different carrier. Changing carriers will, in most cases, require the purchase of new equipment.

Responsibilities

Clark College

  1. Clark College is responsible for ensuring the appropriate issuance and use of College-owned cellular devices and services, including employee eligibility, plan usage, and billing.

  2. For College-owned devices, Clark College must use existing state contracts for cellular devices and services unless there are compelling business reasons to do otherwise (e.g. coverage, service or plan type, etc.).

  3. Requests for cellular equipment and services will be reviewed and approved by the employee’s Executive Cabinet member.

  4. Supervisors of employees who have been issued a College-owned cellular device or who receive an allowance for business use of a personal cellular device will, on an annual basis, review the need to continue the service or allowance. In the case of College-owned cellular devices, supervisors will actively monitor billing statements to insure compliance with College policy and the Washington State Executive Ethics Law.

  5. If a cellular device is lost or stolen, the device (College-issued or authorized personal cellular device) may be wiped remotely by IT Services (State IT Security Standards).

Employee

  1. Employees who are issued a College-owned cellular device are to use the device for business purposed only.  Personal use of state-owned equipment and services, with few exceptions, is prohibited by state law.  Employees must be aware of their responsibilities under the law.  For more information, visit the Executive Ethics Board website at www.ethics.wa.gov.

  2. Employees are responsible for the safekeeping, care, and custody of cellular devices issued to them.

  3. Employees who have been issued a College-owned cellular device are expected to monitor and stay within the limits of the service plan that has been approved for them. If an employee anticipates that the approved service plan(s) will be inadequate to meet job requirements, the employee is to review the current service plan with their supervisor and upgrade the service plan as needed. Employees are to avoid the use of additional cost services (e.g., directory information) that are not included in the service plan. International calls on cellular devices can result in significant cost to the College, and conventional (land line) long distance service should be used whenever possible. International travelers should contact IT Services for assistance with international calling plans.

  4. When requested to do so, employees who have been issued a College-owned cellular device will review billing statements with their supervisor and provide explanations for call activity as needed. Clark College employees are responsible for managing and retaining public records related to cellular device usage in accordance with records retention schedules, including but not limited to billing and usage records.

  5. Clark College employees are responsible for backing up data stored on cellular devices so that the data can be restored in the event of hardware failure, or if the device is lost or stolen. Contact the IT Services Help Desk (ithelp@clark.edu or 360-992-2425) to discuss backup strategies.

  6. Employees in overtime eligible positions must document hours worked each day and each workweek. When an overtime eligible employee is issued a College cell phone or receives a cell phone allowance, the supervisor and employee must ensure time spent on the phone for work purposes is included in the documented hours worked.

  7. Employees must notify their supervisor or appropriate management immediately in the event of damage, loss or theft of cellular devices. The employee must provide written notification within three business days.

  8. While on state business, employees must comply with all laws applicable to use of hand held cellular devices (wireless communication devices) while operating a motor vehicle, including RCW 46.61.667 (no handheld devices) and RCW 46.61.668 (no texting).

  9. Employees must return state-owned cellular devices to their supervisor immediately when the employee leaves employment at the College or is no longer authorized to use a cellular device.

  10. Any employee using a state-owned device or seeking a monthly allowance for using their personal cellular device to conduct state business must sign the authorization agreement or is in violation of this policy.

Personal Mobile Devices Used for Business Purposes

As an alternative to issuing a College-owned cellular device, department heads may authorize a monthly allowance to employees who meet eligibility criteria to offset the cost of business use of their personally-owned cellular device. An employee is not obligated to use a personal cellular device for business purposes but may do so voluntarily. If an employee is required to use a cellular device for business purposes but does not want to use a personal device, the department will authorize the issuance of a College-owned cellular device. The allowance for business use of a personal cellular device may be authorized when the following conditions are accepted in writing by the employee:

  1. All employees who use a personal cellular device to access business documents and communications must comply with state and College-specific security standards, records management and retention schedules, and all other applicable laws and standards.

  2. All call records, documents and data, photos, etc. used to conduct state business, and created, stored, or transmitted on personally-owned devices, are subject to records retention requirements and public records disclosure.

  3. Personal call records and other information (e.g. personal data, photos, text messages, etc.) may be subject to review or audit in the event of a litigation hold or public disclosure request.

  4. The owner of a personal cellular device may be required to surrender the device, including all personal and business related information, if it is subject to a public records request or litigation hold.

  5. The employee is responsible for all costs and maintenance of the personal cellular device and service plan. The employee is also responsible for all contract fees such as activation fees and early termination penalties, regardless of the reason for authorizing or terminating an allowance.

  6. If the device is lost or stolen, the cellular device may be wiped remotely by IT Services (State Security IT Standards).

The authorizing staff member and employee must complete the Cellular Device Authorization and Agreement to document business need and policy acceptance. This document can be found on ClarkNet.

Allowance for Business Use of Personal Cellular Devices

Allowances for employees who are authorized to use personal cellular devices for business use are listed in Allowances for Business Use of Personal Cellular Devices. This document can be found on ClarkNet.

Procedure for requesting an allowance for business use of a personal cellular device:

  1. Read the Clark College Cellular Device Policy and Procedure

  2. Consult with your supervisor to discuss the appropriate allowance amount (i.e., voice, data, or both).

  3. Complete the Cellular Device Authorization and Agreement form (found on ClarkNet) and secure the required approval.

  4. Forward copies of the completed form to the Director of IT Services (MS – BRD 017) and Purchasing Services (MS – BRD 150).

  5. Prior to selecting a carrier and purchasing a cellular device, contact the IT Services Help Desk to receive guidance on which devices are compatible with the College’s Microsoft Exchange email system. Note: Clark College is under no obligation to support the integration of all cellular devices with the College’s email system.

  6. Clark College cannot guarantee adequate cellular reception in all College buildings or locations.  Cellular coverage varies considerably depending on the location and carrier. Employees who request an allowance for existing personal cellular device plans must verify that cellular coverage is adequate to conduct their work at the College.

Employees of Washington State agencies (including Clark College) are entitled to service plan discounts (typically 15%) from major carriers on their personal plans. Clark employees are encouraged to request this discount for new or existing accounts. Your employee ID card may be required to receive the discount.

Use of Personal Mobile Devices by Employees Not Seeking an Allowance

Employees who use their personal devices to conduct state business but elect not to request a monthly allowance are still governed by all state statutes, administrative codes and case law regarding public records retention and discovery – regardless of how frequently they use their devices for state business purposes.  Please see Security, Privacy and Records Management, 5.3, below.

Security, Privacy, and Records Management

  1. Recognizing that cellular device activity and transmissions may not always be secure, employees must follow College IT security standards and are prohibited from storing or relaying confidential information by such means unless authorized by College policy.

  2. Clark College reserves the right to monitor the use of all state-owned cellular devices and services. Employees should not expect privacy in their use of state-owned equipment and services.

  3. All call records, documents and data, photos, etc. used to conduct state business via a personal device, and all contents of a state-owned device, are subject to records retention requirements and public disclosure. While the state does not have unfettered access to an employee’s personal device, any personal call records or other information may be subject to review or audit in the event of a public records request or litigation hold. Personal data (data on a personal device that does not constitute a public record) is not subject to public disclosure; however, all data on a state-owned device is deemed a public record.

  4. The cellular device may be wiped (erased) remotely by IT Services when the device is lost or stolen, per State IT Security Standards.

New Policy/Procedure Approved by Executive Cabinet
April 9, 2013

455.035 USE OF E-MAIL DISTRIBUTION LISTS

  1. Master Distribution List

    The Master Distribution List contains the names of all full-time and part-time College employees, Foundation employees, ASCC student government officers, and some College business partners (e.g., WorkSource).  Post to the Master Distribution List only when your message is relevant, important, or of interest to a large percentage of the campus community. Examples of messages fitting these criteria include: College closure information, security/safety/health alerts, facilities maintenance information, messages from the College administration or Board of Trustees, Personnel notices, registration calendar, etc. Use the alternative lists described below whenever possible to better target your audience. The Master Distribution List is not to be used for discussions, debates, opinions, or jokes. Membership on the Master Distribution List is required for all College employees.

  2. Preprogrammed Distribution Lists

    Several preprogrammed distribution lists with specific target audiences (e.g., faculty, staff, etc.) are available through the Outlook address book. To choose a distribution list, open the Outlook address book and click on the drop-down list entitled, “Show Names from the:” Choices for preprogrammed distribution lists can be accessed by clicking on the Distribution Lists menu item. Other list-selection options are related to instructional organization and include units, divisions, and departments.

  3. Alternative Lists

    The Forum list is intended to be a list where ideas are exchanged and issues are debated. Use this list to propose ideas, solicit feedback, state an opinion, post a gripe, or pat somebody on the back. Most postings to this list will either request or invite feedback, so use the list accordingly. 

    Membership on the Forum list is voluntary. Clicking the reply button in response to a message posted to the Forum list will address the entire list membership.

    The Messages list is intended to be a medium for posting announcement-type messages that are generally one-way in nature. Examples include upcoming events and activities, news items, celebrations, thank-you notes, farewells, etc. Membership on the Messages list is voluntary. Clicking the reply button in response to a message posted to the Messages list will address the original sender only.

  4. Additional Information

    Visit the Clark College Intranet for additional information related to this policy, including general usage guidelines.

455.045 NETWORK SECURITY

Introduction

The proliferation of information technologies, including the Internet, has created a myriad of opportunities and challenges for individuals and organizations that use these technologies. The potential for malicious mischief, damage to or loss of equipment or data, and loss of privacy dictate that prudent steps be taken to safeguard the information technology assets of the College. Network security cannot be achieved with technical solutions alone; the College relies on its students and employees to be active participants in achieving a security network environment.

Scope

This policy details the rules and expectations that apply to employees of Clark College and any other parties who have been authorized to use College network resources.

Statutory Authority

The provisions of RCW 43.105.041 detail the powers and duties of the Information Services Board (ISB), including the authority to develop statewide or interagency information services and technical policies, standards, and procedures. This policy is executed in accordance with the Washington State Department of Information Services Information Technology Security Standards.

Data Security

Many College employees, as a requirement of their job duties, have access to sensitive or confidential information.  It is of utmost importance that employees are aware of the laws and regulations governing the handling of sensitive or confidential data and that they take appropriate measures to safeguard any sensitive or confidential data with which they are entrusted.  Sensitive and confidential data are defined as follows:

  • Sensitive. This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are people’s names in combination with any of the following…driver’s license numbers, date of birth, employee/student ID number (SID), and personal address, e-mail addresses, and telephone numbers.  Also included are student data protected under the Family Educational Rights and Privacy Act (FERPA).

  • Confidential. This class includes passwords, social security numbers (SSN), credit card numbers, expiration dates, PIN’s, and card security codes, financial profiles, bank routing numbers, medical records, and law enforcement records.

Data breaches resulting from employee errors or negligence can have serious financial implications and can damage the reputation of the College. Listed below are elements of information systems that pose data security risks and the corresponding College policy that addresses each element.

1. Passwords

Username and password combinations are the primary means of authenticating users of Clark College network resources and are an important element of the College’s security program.

Policy:  Where access to computing resources is protected by a personal password, no person shall divulge their password or allow others to use their password-protected account. Users shall take appropriate measures to safeguard their personal passwords to prevent unauthorized access to College computing resources.

In some cases, generic computer accounts are created and the username and password are intended to be shared by multiple users. These cases represent the only exceptions to this password policy.

2. E-mail

E-mail messages processed by the College e-mail system are not encrypted either in transport or storage.  It is possible for someone with the proper tools and sufficient access to the system to read the contents of an e-mail message. Therefore, the College e-mail system is not considered private and should not be used to communicate confidential information.

Policy: Clark College employees shall not use the College electronic mail system to communicate (internally or externally) or store confidential information.

3. Mobile Devices and Removable Storage Media

Mobile devices such as notebook computers and computer tablets, and removable storage media such as flash drives, CD’s or DVD’s, and portable hard disks are essential tools but these devices pose a significant risk to data security if used to store sensitive or confidential information. All data encryption should meet industry standards for secure data encryption. To further protect the data contained on laptops and tablets, all college owned laptops and computer tablets will have encrypted hard drives. Laptop and tablet users will be required to bring their college owned laptops to Information Technology Services once a year on a predesignated schedule to verify the encryption and update the laptop with all security patches and software updates as needed. Mobile device users will not attempt to disable security updates or hardware encryption.

Policy: Mobile computing equipment and removable storage media shall not be used to store or transport unencrypted confidential information. All college owned laptops and computer tablets will have their hard drives encrypted by Information Technology Services to limit data access in the event of a lost or stolen hard drive. College owned laptops and tablets will be returned to the Information Technology Services department once a year for encrypting and updating.

4. Databases

Database applications such as Microsoft Access are standard components of the College’s suite of office productivity software.  With a modest amount of training, database tools like Access can be used to create useful applications that increase office efficiency and productivity. However, if such a custom database, whether developed by an employee, a student, or an outside entity, is used to store sensitive or confidential information without sufficient access safeguards, there is a risk to data security.

Policy: No College employee shall purchase, develop, approve the development by others, or implement a database application that will be used to store sensitive or confidential information without the approval of the director of information technology services.

5. Application Service Providers

An Application Service Provider (ASP), sometimes called a “hosted service,” is a business that provides computer-based services to customers over a communications network. Typically, the ASP develops and maintains software applications, and supplies the servers, databases and communications equipment needed to deliver the service to the customer. The services of an ASP may be delivered over a private network but, more frequently, the Internet and the Web are used to collect and process customer information. The use of the Internet as a transport network provides ubiquitous access to the ASP’s application, but also poses significant data security risks.

Policy: No College employee shall purchase or utilize the services of an Application Service Provider where the ASP will collect, process or store sensitive or confidential information without the approval of the director of information technology services.

6. Hardcopy Data

Printouts and other hardcopy media containing sensitive or confidential data must be properly disposed of to prevent unauthorized access to the information. Faculty and staff must be particularly mindful of their obligation to safeguard student information protected under Family Educational Rights and Privacy Act (FERPA). Approved receptacles are provided in each campus building for the disposal of sensitive print documents.

Policy:  Clark College employees shall only use approved secure receptacles to discard print material containing sensitive or confidential information.

Connections to the Campus Network

Information Technology Services personnel are available to assist College employees with equipment installations and moves that require network connectivity. Employees who wish to install or move computers or other network-connected equipment should contact the Information Technology Services Help Desk before attempting to connect equipment to the network. An Information Technology Services technician will insure that the network device and jack are properly configured and that equipment inventory and network port records are appropriately updated. Temporarily disconnecting a networked computer and/or telephone to rearrange or clean an office does not require Information Technology Services assistance provided the user notes the original location of network and telephone cords.

Policy: No person shall connect any network device including hubs, switches, routers, network
printers, wireless access points, and network test and
measurement equipment to the Clark College network without the knowledge and prior approval of the network systems manager.

Faculty members who teach network technologies must coordinate their activities with the network systems manager to insure that instructional uses of the College network are secure and compatible with other network functions.

Web Servers and Internet Services

Internet services such as Web servers, mail servers, File transfer Protocol (FTP) servers, etc., pose a significant security risk to Clark College computing resources. It is essential that these services be properly deployed and maintained to minimize risk. Information Technology Services provides these services for the institution and, with the exception of certain instructional applications, there is no need or justification for employees to run Internet services on personal computers.

Policy: No person shall, without the prior written approval of the network systems manager, download, install and run a Web server on their office computer or any other computer connected to the College network. Furthermore, no other Internet accessible service, such as FTP, electronic mail, remote login (Telnet), etc., shall be downloaded, installed or maintained by any person on any computer connected to the College network.

Information Technology Services staff will, on a regular basis, perform network scans that will detect unauthorized Internet services running on the campus network. In the event unauthorized Internet services are discovered, ITS staff will, without prior notification, disable the network connection to the computer running the service. The employee responsible for the computer fund running unauthorized Internet services will be contacted and informed of the action taken. Network connectivity will not be restored until the unauthorized software is disabled or removed.

Wireless Network Access

Unauthorized wireless network transmission devices pose a significant risk to network security. Information Technology Services installs and maintains wireless equipment that is configured to insure an appropriate level of security. The placement of transmitters is critical to ensure adequate coverage while limiting the range of the transmitted signal to the intended coverage area.

Policy: No person shall connect a radio transmitter designed to broadcast network traffic (wireless access point or node) to the Clark College network without the express permission of the network systems manager.

Unauthorized wireless access points that are discovered on the College network will be disconnected from the network and confiscated.

Anti-Virus Software 

  • Windows Computers. The anti-virus software and virus definition files for windows computers are automatically updated from a central server.  This process is transparent to the user. Every network-connected Windows computer (except lab computers) is subjected to a full file scan each week.  Currently, this scan is initiated on Thursday at approximately 11:30 a.m. A window opens on the desktop informing the user that the scan is taking place. The user may minimize this window and continue working while the file scan proceeds. If the computer’s performance is being adversely affected, the user has the option to delay the scan for a period of one or three hours. The user has the ability to perform this “snooze” function up to three times after which the virus scan will be initiated.

  • Macintosh Computers. Macintosh computers have anti-virus software installed at the time the machine is initially set up. The anti-virus software is configured to access the anti-virus update server to check for updates to the software and virus definition files weekly. If updates are available, the software will be automatically downloaded and be installed on the machine. It is important that users not modify or attempt to disable this anti-virus update service.

Software Auto-Update Service

  • Windows Computers. Windows machines are configured to automatically check for critical updates on a local server via Microsoft Windows Server Update Services (WSUS). This process will download critical patches to the operating system and application software as they become available and are approved by the WSUS administrator. The Windows user is first notified that updates are available for downloading from the WSUS server by a flashing icon in the lower right hand corner of the screen.  It is important that users initiate the download process as soon as possible.  This usually takes less than a minute.  Next, the user is prompted to initiate the installation of the downloaded critical update on the computer.  Again, users are urged to initiate this process immediately and not defer it to a later time.  Lastly, in many cases users are prompted to reboot their machine so that the update process can take effect.  If you are involved in a project and do not want to be interrupted, you may defer this last step and the patch will be applied the next time you restart your machine (be sure to power down before you leave for the day). It is important that Windows users respond to the notification that critical updates are available. If you ignore the update notification or continue to defer the application of the update, you risk a potential attack on your computer and possible computers on the College network.
  • Macintosh Computers. Macintosh computers are configured to automatically check for updates weekly on an Apple software update server (XSUS). Operating system and application updates are tested and enabled by the XSUS administrator. The updates are automatically downloaded to the client computer and the user is notified of pending updates. Updates are applied when the computer is restarted. Users should restart their computers at the earliest opportunity.

Enforcement

Employees who intentionally violate the provisions of this policy are subject to disciplinary action in accordance with established College policy and/or negotiated agreements.

New Policy/Procedure Approved by Executive Cabinet
May 17, 2016

 

455.050 ACCESSIBLE TECHNOLOGY POLICY

Clark College values accessibility as outlined in our Strategic Plan and in accordance with federal and state laws and guidelines. Clark College is committed to providing accessible technology in its educational and administrative services, programs, and activities.  Ensuring equitable and effective electronic and information technology access is the responsibility of all college administrators, faculty, and staff. This policy applies to the procurement, development, use and implementation of all Clark College technologies and content. Clark College technology should provide substantially similar functionality, experience and information access to individuals with disabilities as it provides to others. Examples of technology covered by this policy include web sites, software systems, electronic documents, videos, student information systems, learning management tools, third party software platforms, and assessment tools.

Clark College is required to provide appropriate, effective, and integrated access to technology and electronic content for students, employees, and external community members. Clark College will follow Web Content Accessibility Guidelines 2.0 level AA accessibility guidelines and the most current guidelines per the Section 508 requirements. Clark College will maintain an accessibility plan identifying nonaccessible technology, alternative methods of access, and actions taken to correct unresolved accessibility issues.

For guidelines on purchasing accessible technology, please reference Administrative Procedure 440.070.

The authority for this procedure is based upon the following federal and state statutes, policies and guidelines: