455.000 - Information Technology Services

The College shall provide an information technology infrastructure to support all instructional, administrative and student support services. The College shall manage its technological infrastructure, system, equipment and resources through a series of procedures, guidelines, rules, regulations, restrictions, and requirements. The Board shall delegate to the president or designee the authority to develop, implement and enforce all appropriate administrative procedures.

455.005 TELEPHONE SERVICES

The College provides telephone services for the purpose of conducting official activities. Local calls of a personal nature are permitted for the efficiency and welfare of the College staff. Long distance calls (calls outside the local 360 area code) may be made only for authorized business purposes. RCW 42.52.160 states that no state employee may employ or use any person, money, or property, under the employee's official control or direction, or in his or her official custody, for the private benefit or gain of the employee or another.

Students should not be permitted to use staff telephones except as directly authorized by a staff member for College business or emergency only. Pay telephones are available for personal use by students. 

Offices containing telephones should be kept locked when not under the supervision of a College staff member.

Telephone problems should be reported to Information Technology Services. If a change in telephone service or equipment is needed, a Service Request may be submitted to Information Technology Services by e-mail at techsupport@clark.edu or by calling the Help Desk at (360) 992-2425.

Cellular Phones

The College provides two options for cellular telephone service for those employees who require this service to perform their job duties and who have received approval to purchase or be reimbursed for cellular telephone service.

Option 1. The College provides the telephone instrument and pays the cost of the voice and data plan, if applicable, with the understanding that the telephone is to be used for business purposes only in accordance with the Executive Ethics Law.

Option 2. In the case of employees who wish to use their cellular service for both personal and business calls, and also wish to synchronize College e-mail and calendar data with their personal telephone instrument (smart phone), the employee purchases the telephone instrument and service plan and requests reimbursement from the College for the data service only (voice service paid by the employee).


Employees selecting Option 2 are to request applicable government discounts at the time service is ordered.  Employees are to be reimbursed for the data plan only plus the pro rata share of applicable taxes based on the base rate of the service provided.

Employees may seek reimbursement on a quarterly or annual basis by submitting a purchase request and attaching copies of monthly billing statements (voice plan call detail records are not required).

Employees must request reimbursement annually at a minimum. Request for reimbursement in excess of twelve months in any fiscal year will not be honored.

Employees who are considering Option 2 are urged to check with Information Technology Services to insure that the telephone instrument and service plan being considered is compatible with the Microsoft Exchange e-mail system. The College is not responsible for insuring compatibility between the multitude of mobile plans and the College’s Exchange e-mail service.

455.010 FAX SERVICES

College employees are not to use College FAX machines for personal/private use. FAX services may be purchased in the Bookstore.

455.015 USE OF COMPUTER SOFTWARE

Unauthorized duplication of patented or copyrighted computer software, information processing service, electronic database, software program, or electronic data, or violation of applicable software licensing agreements is strictly prohibited. The term "computer software" includes the package delivered or offered to the College but is not limited to computer programs, manuals, copyrighted accessories, data, and intellectual property.

The term "duplication" refers to the copying of material or information in any form—electronic or otherwise.

The liability for willful infringement of a copyright or violation of a software licensing agreement will lie exclusively with the person who made or ordered the unauthorized copy or violated or caused the software agreement to be violated. Clark College will assume no responsibility, will pursue all remedies available against a violator, and will not provide legal assistance to those who have violated the law or licensing agreements.

Computer users must contact the director of information technology services if there are any questions about software that is protected by copyright or licensing agreements. The director of information technology services will assist those who need help understanding full compliance with the federal and state law.

Clark College employees will not condone copyright or licensing violations by students and other employees.  Those who witness or are aware of violations of copyright law or licensing agreements should report the matter promptly to the director of information technology services. Please also see Administrative Procedure 535.075 EMPLOYEE INFORMATION TECHNOLOGY RESOURCES POLICY.

455.020 PERSONAL COMPUTER and IT PURCHASING

To help create a standard computing system across campus, Information Technology Services (ITS) has designated recommendations for standard computer equipment purchases. Exceptions can be made for specialized equipment with proper documentation and approval.

Any network enabled device that will connect to Clark Colleges shared network infrastructure should be purchased through the ITS purchasing system (departments need not involve ITS for non-networked items such as toner, keyboards, mice, power strips etc.).

When a department would like to purchase a new computing device or software:

  1. Department requesting computing devices or software assessments shall create a ticket through the ITS website via IT HelpDesk Ticketing System.
  2. ITS will assist in determining equipment needs and provide vendor quotes for the department request (quotes will be attached to the ticket to preserve lifecycle timeline)
    1. All requests will be tracked within the ITS ticketing system
    2. For IT software purchases an additional assessment is required for accessibility and cyber security. 
    3. Instructions will be provided within the ITS ticketing system for software assessments needing review via the Colleges Application Development Oversight and Planning Committee (ADOPC)
    4. Additional ITS consultation is also available for larger projects or customized requests that involve IT Project Management, IT Media Services, and/or the IT Cyber Security team.   
  3. Please plan for extend time required for committee review and specialized cost assessments.
  4. Once quotes are approved by both IT and requesting department the department will create the purchase requisition and attach the quote for purchase to the original ITS ticket. 
  5. ITS will receive and inventory the equipment as well as coordinate installation with the requesting department.
  6. All requests and associated correspondences will be tracked within the ITS ticketing system.

Revised Policy/Procedure Approved by Executive Cabinet
July 23, 2019

455.022 APPLICATION SERVICE PROVIDERS

Introduction

An Application Service Provider (ASP), sometimes called a “hosted service”, is a business that provides computer-based services to customers over a communications network.  Typically, the ASP develops and maintains software applications, and supplies the servers, databases and communications equipment needed to deliver the service to the customer. The services of an ASP may be delivered over a private network but, more commonly, the Internet and the World Wide Web are used to collect, process and store customer information. The use of the Internet as a transport network provides ubiquitous access to the ASP’s application, but also poses significant data security risks.

The College will typically enter into a contract with an ASP to provide services, for which it will pay the ASP a fee. An ASP may also be loosely affiliated with the College. An ASP in this category is not generally paid by the College for the service it delivers. An example is an enterprise that uses advertising revenues to provide a free service to the College’s students. The use of any ASP that wishes to associate the service it provides with the College in any way, directly or indirectly, by reference or the use of logos, brand, etc., falls under the purview of this policy.

Scope

This policy details the requirements and procedures that must be followed by Clark College employees or contractors who wish to engage the services of an ASP. It further describes the general requirements of the ASP.

Statutory Authority

The provisions of RCW 43.105.041 detail the powers and duties of the Information Services Board (ISB), including the authority to develop statewide or interagency information services and technical policies, standards, and procedures. This policy is executed in accordance with the Washington State Department of Information Services Information Technology Security Standards.

Managing Risk

Clark College relies heavily on information technologies both in its business operations and in its instructional programs. Hosted services are increasingly used to deliver/augment instruction and for administrative or support services. By their nature, ASPs operate outside the normal internal procedures and controls of the College. Therefore, special attention must be paid to the selection and use of ASPs to effectively manage the risk associated with hosted services. Inasmuch as most ASPs collect or share data with the College, and store data on their servers or those of a subcontractor, steps must be taken to fulfill the College’s statutory obligation to provide appropriate safeguards for sensitive or confidential data. 

Project Sponsor Requirements

The ASP project sponsor, the person or organizational unit within the College requesting the services of the ASP, shall follow the ASP engagement process outlined below prior to engaging the services of an ASP.

  • The project sponsor must submit the draft project proposal to the Director of Information Technology Services for preliminary review prior to engaging the vendor community.
  • Special data security requirements apply to ASP’s that will share, collect, process and store data classified as “sensitive” or “confidential.”  See definitions at the end of this policy.
  • The project sponsor, while exploring functional requirements with a vendor or obtaining budgetary quotes, must not state or imply that the business will be awarded to the vendor. Most large projects are subject to a competitive procurement (bid process).
  • If the cost of the service being considered exceeds $10,000, including annual licensing fees and implementation costs, the project must be put out to bid unless there is compelling justification to pursue a sole-source procurement. This process generally requires the development of a Request for Proposal (RFP) document containing detailed specifications for the project. Drafting the RFP requires the involvement of Purchasing Services and Information Technology Services. The project sponsor must allow a minimum of 90 days from the date of Executive Cabinet approval until the awarding of a contract. 
  • A contract between the College and the ASP must be written detailing the terms and conditions of the service engagement. This contract must be reviewed by the director of operations and auxiliary services and approved by the vice president of administrative services.
  • ASP project proposals, including budgetary estimates, must be approved by the project sponsor’s representative on the Executive Cabinet of the College prior to initiating the RFP process or engaging the services of an ASP.

 Application Service Provider Requirements

  • If the ASP will be sharing, collecting, or storing “sensitive” or “confidential” information, the ASP must comply with the minimum security requirements set forth in the security standard entitled Clark College IT Security Standard – Application Service Providers.
  • The ASP security standard requires the vendor to provide a detailed description of the hosted service environment and to certify that the ASP complies with the requirements of the standard. The College cannot do business with vendors who are unable or unwilling to certify compliance with this security standard.
  • It is anticipated that the ASP security standard will change over time as new requirements and/or threats are identified. Vendors are required to re-certify compliance with the standard including any revisions or additions at the time of the contract renewal.
  • Vendors are required to sign a contract detailing the terms and conditions of the service engagement. The College will not accept standard vendor contracts but will negotiate the terms of the contract with the vendor. 

Enforcement

Employees who intentionally violate the provisions of this policy are subject to disciplinary action in accordance with established College policy and/or negotiated agreements.

Definition of Data Classes

The following definitions are used to classify data for security purposes:

Normal:  The least restrictive class of data.  Although it must be protected from unauthorized disclosure and/or modification, it is often public information or generally releasable under College procedures for processing public records requests. Examples of this class of data are: class schedules, course catalogs, general ledger data, and employee demographic statistics.

Sensitive:  This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are:  peoples’ names in combination with any of the following: driver’s license numbers, birth date, employee ID number (EID), address, e-mail addresses, telephone numbers. Also included are: agency software source code or object code, agency security data, education records including papers, grades, and test results, or information identifiable to an individual that relates to any of these types of information.

Confidential: This class includes passwords, Social Security Numbers (SSN), credit card numbers, expiration dates, PINs, and card security codes, financial profiles, bank routing numbers, medical data, law enforcement records. All data classified as Confidential shall be encrypted in storage and in transit. Access to these elements are tightly controlled and audited.

New Policy/Procedure Approved by Executive Cabinet
October 12, 2010

455.025 REMOTE ACCESS POLICY

Introduction

Remote Access Via VPN:

Remote Access to campus resources including remote desktop users requires Virtual private network access (VPN).  VPN access allows the user the ability to logon to a campus machine from a remote location for the purpose of accessing files and for performing work including IT routine maintenance. 

All computers and laptops used for remote access to any on campus computing environment via the Internet shall meet IT standards.  Adequate technologies must be used to ensure minimal risk is placed on Clark College’s shared network environment.  This includes requiring Clark College’s virtual private network (VPN) and anti-virus software installed and activated on all computing devices. 

Access to quick reference and software resources can be found on the IT website

In addition when using remote personal devices to access Clark College campus servers and computing resources:

  • Personal Firewall software shall be enabled 
  • Active and up to date Anti-Virus shall be installed 
  • Enable Clark College’s authentication solution 
  • Utilize Clark College's supported VPN software

As per: 630.065 Telework

The following must be followed:

  • Clark College's Virtual Private Network (VPN) must be used for all college personnel remote access and IT administration.
  • All remote access to the Clark College network involving public networks such as the Internet must be authenticated via a strong authentication scheme.
  • If there is a need to allow external access to a vendor or contractor, the following process must be observed by a designated IT Network Engineer to connect and disconnect external entities:
    • Verify that the Management and Connection for vendor access is logged and access is only allowed for a timeframe authorized by IT management (Director review required) before allowing any access.
    • In case of uncertainty, contact the manager authorizing the connection to verify the authenticity of the authorization.
    • Allow access at the appointed time.
    • Monitor connection.
    • Disable access after the allowed time is over.
    • Monitor system performance after the connection to identify any anomoly.

Anti-Virus Policy 

Applicability 

All systems commonly affected by viruses such as servers, workstations and laptops on Clark College networks, whether managed by employees or by third parties, must follow this policy. Exemptions from this policy will be permitted only if approved in advance and in writing by the CIO or Information Security Manager.

New Policy/Procedure Approved by Executive Cabinet
June 30, 2009

Revised Policy/Procedure Approved by Executive Cabinet
March 16, 2021

455.027 EMPLOYEE COMPUTING RESOURCES

1. Intent

It is the policy of the College to maintain access for its community to local, national, and international sources of information and to provide an atmosphere that encourages access to knowledge and the sharing of information. It is expected that College computing resources will be used by members of the College community with respect for the public trust through which they have been provided and in accordance with policy and regulations established from time to time by the College and its operating units.

2. Scope

In this policy, computing resources are defined as those computers, computer software, networks, and electronic messaging systems (e-mail, voice mail, facsimile and imaging systems) operated by or for the benefit of the students, faculty, and staff of the College. The use of these resources is a privilege, not a right.  It is the user’s responsibility to use these resources in a manner that is efficient, ethical, and legal.

All users shall strictly adhere to both the letter and spirit of this policy which is provided to ensure a predictable, secure computing environment for all users.  Failure to comply with the regulations set forth in this policy may result in loss of access to College computing resources, and administrative, civil, and criminal action under WashingtonState or federal law.

3. General Provisions

a. College computing resources are to be used only for authorized educational and business purposes. It is the obligation of College employees to be aware of the governing law, rules, and guidelines set forth in Chapter 42.52 RCW, Ethics in Public Service Act; WAC 292-110-010, Use of state resources; and Section 417030 of the Clark College Administrative Procedures manual, Ethics in Public Service. Copies of these documents may be obtained from the director of computing services.

b. If your access to computing resources is protected by a personal password, you are not to make this password available to others, or allow others to use your password-protected account, either purposefully or by omission. You may not allow someone else to give his/her password to you, or attempt to find out the password of another user, or aid such attempt by any other person. In some instances, shared accounts may be established to allow collaboration, in which case a password may be shared.

c. You may not interfere with the use of computing resources by any other authorized user, or compromise the confidentiality of the College’s internal business practices or records.

d. You may not use College computing resources to send, receive, or display information including text, images, or voice that is sexually explicit or constitutes discrimination or harassment. “Sexually explicit material” is defined in RCW 9.68.130, but exempts authorized study and research in the areas of art, health, and science. Procedures related to discrimination and harassment are specifically addressed in the Clark College Administrative Procedures manual, Sections 400, 600 and 700, and are incorporated herein.

e. You may not examine, copy, alter, rename, or delete the files or programs of another user without the user’s permission. System administrators may, as a requirement of system maintenance, delete files that are determined to be non-essential.

f. You may not forge any electronic message or engage in any other fraudulent activity using College computing resources.

g. You may not subvert or attempt to subvert, or assist others to subvert, the security of any computing resource or otherwise interfere with the legitimate operation of any computing resources, whether internal or external to the College (hacking).

h. The use of software or hardware devices designed to capture or examine network data (protocol analyzer or “sniffer”) is restricted to authorized College staff for the purpose of network maintenance and instruction. Unauthorized use of such software or hardware devices is expressly forbidden.

i. You may not use College computing resources to create, disseminate, or execute self-replicating or similar nuisance programs (e.g., virus, worm, Trojan horse, e-mail bomb, spamming), whether or not it is destructive in nature.

4. Copyrights/Patents

It is the employee’s responsibility to be informed of copyright and patent law as it applies to computer software and other materials that you may access using College computing resources. If you infringe on any material that is protected by copyright/patent without proper authorization, you may be subject to criminal and/or civil penalties. A formal copyright/patent declaration need not be in evidence for legal copyright/patent protection to be in force.

In general, the copyright to original works created by faculty members using College computing resources belongs to the faculty member except where the work is for commercial gain and involves significant amounts of state resources. Works for commercial gain that will involve significant amounts of state resources should not be undertaken until there is a written agreement that allocates ownership, profits, and costs between the faculty author and the College. 

Original works created by administrators, exempt employees, classified staff, and student employees are generally considered to be “works for hire” and the copyright to any such original works is owned by the College. Refer to Section 675.000 of the Clark College Administrative Procedures Manual for additional information related to College copyright policy.

5. External Networks and Computing Resources

If you use College computing resources to access external networks and computing resources, you agree to comply with the policies of those external networks and computing resources. Specifically, you agree to comply with the Community and Technical College Network (CTCNet) Acceptable Use Policy (http://www.ctc.edu/~ctcadmin/WCTC_Acceptable_Use_Policy.html).

6. Grievance Procedure

You may seek redress for any grievance arising out of the interpretation/enforcement of one or more provisions of this policy by following appropriate procedures detailed in Administrative Procedure 680.000 GENERAL GRIEVANCE PROCEDURE FOR ADMINISTRATORS, EXEMPT STAFF, AND CERTAIN CLASSIFIED EMPLOYEESand/or applicable negotiated agreements.

7. Administration 

All computing resource policies must be reviewed by the Information Technology Council (ITC) and approved by the Executive Cabinet before they are implemented. Substantive changes to this policy are initiated by the ITC, and an opportunity for review/comment by the user community will be provided prior to adoption. You may contact the director of computing services to communicate any comments, suggestions, or concerns that you may have related to this policy.

8. Privacy

Pursuant to the Electronic and Communications Privacy Act of 1986, Title 18, United States Code, Sections 2510 and following, notice is hereby given that there are no facilities provided by Clark College for sending or receiving confidential messages. Users must be aware that electronic messaging systems may not be secure from unauthorized access and should not be used to deliver confidential information.

Authorized College staff, with due regard for the right of privacy of users and the confidentiality of their data, have the right to suspend or modify access to computing resources, examine files, passwords, printouts, tapes, and any other material which may aid in the investigation of possible abuse. Any such investigation must be specifically authorized by the president of the College or designated representative. Whenever appropriate, the cooperation and agreement of the user will be sought in advance. Users are expected to cooperate in such investigations when requested to do so. Failure to cooperate in the investigation of possible abuse may result in suspension of access to computing resources.

9. Disclaimer

The College accepts NO RESPONSIBILITY for any damage to or loss of data arising directly from or incident to the use of Clark College computing resources, or for any consequential loss or damage therefrom. It makes representation of NO WARRANTY, express or implied, regarding the computing resources offered, or their fitness for any particular use or purpose.

10. Agreement to Comply

You implicitly acknowledge, by continued use of computing resources, your agreement to comply with all published policies governing the use of College computing resources.

Distribution lists facilitate the exchange of information between employees. Users of the College e-mail system can reduce the volume of e-mail and promote efficient use of the campus network by following these guidelines for use of the campus distribution lists.

455.030 CELLULAR DEVICES

This policy governs the authorization, use, and payment for cellular devices required for business purposes by Clark College. It ensures compliance with state statutes, administrative codes and case law regarding public records retention and discovery, permissible use of state-purchased devices, and monthly allowances for employees using personal devices to conduct state business. This policy addresses cellular devices for which the College will incur ongoing costs, either because the College purchased and maintains the device or because an employee seeks an allowance for using a personal cellular device for business purposes. It also addresses employee obligations under state law regarding public records retention and discovery even when an employee uses a personal device for occasional business purposes and does not seek an allowance from the College. This policy applies to all units and individuals at the College.

Clark College recognizes that cellular devices, for certain personnel, are valuable tools that aid the College in conducting business in an effective and timely manner. These tools can boost employee productivity, improve service, and promote public and employee safety. The college mandates ethical and equitable use of this technology, encourages use that supports productivity, confirms that electronic communications created and used for conducting College business are generally considered public records, and prohibits unauthorized and inappropriate use.

Clark College cannot guarantee adequate cellular reception in all College buildings or locations.  Cellular coverage varies considerably depending on the location and carrier. Employees who request an allowance for existing personal cellular device plans must verify that cellular coverage is adequate to conduct their work at the College.

Definition of Cellular Device 

A portable device with cellular communications capability and a cellular service plan such as a cell phone, smartphone, data card, cellular-enabled tablet, notebook, or any other type of device that uses cellular voice or data services. 

College-Issued Devices

Clark College may issue cellular mobile devices to College employees based on one or more of the following job requirements:

  1. The employee’s job requires field work or travel where landline phones are inaccessible or inefficient.
  2. The employee’s job requires immediate or on-call availability via phone or email.
  3. The employee needs a cellular device for work-related safety, security, or other emergency reasons.
  4. Other requirements as defined and documented by the College.

Procedure for requesting a College-issued cellular device

  1. Consult with your supervisor to discuss need and service plan types (i.e., voice, text messaging, data) required and the service plan limits (i.e., call minutes, data usage). Authorized plans can be reviewed at Department of Enterprise Services website https://des.wa.gov/
  2. Complete the cellular device authorization and agreement form (found on ClarkNet) and secure the required approval.
  3. Forward completed form to IT Services via ticketing
  4. Prepare a purchase requisition with your supervisor’s approval for the desired equipment and service plan. The requisition should include a line item listing the monthly service plan charges from the order date through the end of the fiscal year (June 30).
  5. To continue service in subsequent years, prepare a blanket purchase requisition in an amount sufficient to cover the monthly charges plus a small contingency for one year. Submit the requisition at the beginning of the fiscal year (July 1).
  6. If the cellular device is capable of email transmission or Internet access (i.e., smartphones and tablets), contact the IT Services Help Desk (ithelp@clark.edu or 360-992-2425) for assistance with equipment configuration.
  7. To cancel service contact the IT Services Help Desk.

Responsibilities

Clark College

  1. Clark College is responsible for ensuring the appropriate issuance and use of College-owned cellular devices and services, including employee eligibility, plan usage, and billing.
  2. For College-owned devices, Clark College must use existing state contracts for cellular devices and services unless there are compelling business reasons to do otherwise (e.g. coverage, service or plan type, etc.).
  3. Requests for cellular equipment and services will be reviewed and approved by the employee’s supervisor and/or Executive Cabinet member.
  4. Supervisors of employees who have been issued a College-owned cellular device or who receive an allowance for business use of a personal cellular device will, on an annual basis, review the need to continue the service or allowance. In the case of College-owned cellular devices, supervisors will actively monitor billing statements to ensure compliance with College policy and the Washington State Executive Ethics Law.
  5. If a cellular device is lost or stolen, and the device was purchased by IT Services, the device (College-issued cellular device) may be wiped remotely by IT Services (in accordance with State IT Security Standards).

Employee

  1. Employees who are issued a College-owned cellular device are to use the device for business purposes only.  Personal use of College-owned equipment and services, with few exceptions, is prohibited by state law.  Employees must be aware of their responsibilities under the law.  For more information, visit the Executive Ethics Board website at www.ethics.wa.gov.
  2. Employees are responsible for the safekeeping, care, and custody of cellular devices issued to them.
  3. Employees who have been issued a College-owned cellular device are expected to monitor and stay within the limits of the prior approved service plan. If an employee anticipates that the approved service plan(s) will be inadequate to meet job requirements, the employee will review the current service plan with their supervisor and may upgrade the service plan if approved and as needed. Employees are to avoid the use of additional cost for services that are not included in the approved service plan. 
  4. International calls and travelers – upon supervisor approval, employees should contact IT Services for assistance with options for international calling plans if traveling abroad. International calls on cellular devices can result in significant cost to the College. Options for least cost incurred to the college should be explored prior to international calls ex. conventional college land line long distance service should be used if determined cost effective over cellular international service. 
  5. When requested to do so, employees who have been issued a College-owned cellular device will review billing statements with their supervisor and provide explanations for call activity and data usage as needed and upon request. 
  6. Clark College employees who are using cellular technology to conduct state business are responsible for managing and retaining public records in accordance with records retention schedules, including but not limited to billing and usage records, including text messages, chat services, etc.
  7. Due to the difficulty in retaining and archiving records created by text messaging, for purposes of compliance with the Public Records Act, employees shall not use personal mobile devices to send  text messages related to College business unless the employee has been previously authorized to do so in writing by the employee’s Executive Cabinet member.  This exception will only be granted to employees using College-issued cellular devices where the text messages can be automatically archived by ITS for retrieval if needed at a future date.
  8. Clark College employees are responsible for backing up data stored on cellular devices so that the data can be restored in the event of hardware failure, or if the device is lost or stolen. Contact the IT Services Help Desk (ithelp@clark.edu or 360-992-2425) to discuss backup strategies.
  9. When an overtime eligible employee is issued a College cell phone or receives a cell phone allowance, the supervisor and employee must ensure time spent on the phone for work purposes is included in the documented hours worked.
  10. Employees must notify their supervisor or appropriate management immediately in the event of damage, loss or theft of cellular devices. The employee must also provide written notification of damage loss or theft.
  11. While on state business, employees must comply with all laws applicable to use of handheld cellular devices (wireless communication devices) while operating a motor vehicle, including RCW 46.61.672
  12. Employees must return College-owned cellular devices to their supervisor immediately when the employee leaves employment at the College or is no longer authorized to use a cellular device. The device must be returned to IT Services for storage, wipe and redistribution.
  13. Any employee using a College-owned device or seeking a monthly allowance for using their personal cellular device to conduct state business must sign the authorization agreement or be in violation of this policy.

Personal Mobile Devices Used for Business Purposes

As an alternative to issuing a College-owned cellular device, department head may authorize a monthly allowance to employees who meet eligibility criteria to offset the cost of business use of their personally owned cellular device. An employee is not obligated to use a personal cellular device for business purposes but may do so voluntarily. If an employee is required to use a cellular device for business purposes but does not want to use a personal device, the department may authorize the issuance of a College-owned cellular device. The allowance for business use of a personal cellular device may be authorized when the following conditions are accepted in writing by the employee:

  1. All employees who use a personal cellular device to access business documents and communications must comply with state and College-specific security standards, records management and retention schedules, and all other applicable laws and standards.
  2. All call records, text messages, chat messages, documents and data, photos, etc. used to conduct state business, and created, stored, or transmitted on personally owned devices, are subject to records retention requirements and public records disclosure.
  3. Personal call records and other information (e.g. personal data, photos, text messages, etc.) may be subject to review, audit or the surrender of device may be required in the event of a litigation hold or public disclosure request if related to state business.
  4. Employees are responsible for all costs and maintenance of their personal cellular device and service plans. The employee is also responsible for all contract fees such as activation fees and early termination penalties, regardless of the reason for authorizing or terminating an allowance.

Use of Personal Mobile Devices by Employees Not Seeking an Allowance

Employees who use their personal devices to conduct state business but elect not to request a monthly allowance are still governed by all state statutes, administrative codes and case law regarding public records retention and discovery regardless of how frequently they use their devices for state business purposes. 

Security, Privacy, and Records Management

  1. Recognizing that cellular device activity and transmissions may not always be secure, employees must follow College and State IT security standards and are prohibited from storing or relaying confidential information by such means unless authorized by College policy.
  2. Clark College reserves the right to monitor the use of all College-owned cellular devices and services. Employees should not expect privacy in their use of equipment and services that are supported or -owned by the College.
  3. All call records, documents and data, photos, etc. used to conduct state business via a personal device, as well as all contents of a College-owned device, are subject to records retention requirements and public disclosure. While the state does not have unfettered access to an employee’s personal device, any personal call records, text messages and other information may be subject to review or audit in the event of a public records request or litigation hold.
  4. Cellular devices purchased and distributed through IT Services will be added to a Clark College account and may be wiped (erased) remotely by IT Services when the device is lost or stolen, per State IT Security Standards.

New Policy/Procedure Approved by Executive Cabinet

New Policy/Procedure Approved by Executive Cabinet
April 9, 2013

Revised Policy/Procedure Approved by Executive Cabinet

March 15, 2022

455.035 IT ELECTRONIC COMMUNICATION

IT Electronic Communication users of Clark College email and other electronic communication services shall comply with the policies, procedures and standards set forth by the college administrative procedure 455.035. 

Policies & Procedures

  1. Users should have no general expectation of privacy when using the Clark College email system or other Clark College electronic communication services (ECS).  This expectation applies even if employees are using personal devices while conducting state business.
  2. Email and ECS digital content is college record, which may be disclosed under Washington Public Records Law, by subpoena, or to conduct college business.
  3. Email and ECS are resources provided to facilitate authorized college activities. They shall not be used to communicate opinions or information not directly attributed to required student course materials, assignments or other pedagogical requirements.
  4. The use of college state resources must comply with the state of Washington WAC 292-110-010.
  5. Mass mailings to Clark College email accounts shall be restricted to authorized personnel only.
  6. Users shall not use email and ECS to create or distribute inappropriate content.
  7. Users shall not obtain, or attempt to obtain, access to communications or files of other users unless authorized to do so to conduct college business.
  8. Third party email and ECS services shall not be used for the transmission of critical information unless previously vetted by the Information Security Manager.
  9. Users shall not use Clark College IT resources to post non-business-related messages.   Usenet newsgroups (newsgroup spam).
  10. Users shall not attempt to gain unauthorized access to, or forge, email header information.
  11. Users shall not post content that restricts or inhibits other users from using, or degrades the performance of, Clark College IT resources.

Standards & Guidelines

Email Retention Standard
Email is subject to the same records retention standards that apply to other documents and must be retained in accordance with Clark College records retention schedules and the records retention schedule for the Washington State Community and Technical Colleges system

  1. Email is one of the many methods of communicating information and does not in and of itself constitute a public record under the Public Records Act. However, information transmitted by email may become a public record if it is made or received in the transaction of public business by a state agency.
  2. The following examples of e-mail messages, including messages with attachments, that are public records include: policies and directives, correspondence related to official business, meeting agendas or minutes, official reports, or material that has legal or historic value.  If information transmitted via college electronic/digital services meets the definition of a "public record" it may not be deleted or otherwise disposed of except in accordance with a records retention schedule, directives of the State of Washington and the Procedures for Compliance listed per: RCW 42.56.  All employees are responsible for managing their own records.
  3. The retention requirement associated with any document is determined by its content, not its method of delivery. All employees are required to follow the retention schedule for Washington State Colleges as well as any applicable federal regulations.

Email Retention Types

  1. E-mail of transitory value: For example, a message seeking dates for a meeting has little or no value after the meeting. Messages of transitory value may be deleted when they no longer serve an administrative purpose.
  1. E-mail containing information having lasting value: Email is sometimes used to transmit records having lasting value. For example, email about interpretations of a department’s standards may be the only record of that subject matter.

Definitions

Chain Letter – A typical chain letter consists of a message that attempts to convince the recipient to make a number of copies of the letter and then pass them on to as many recipients as possible. 

Critical Information – Critical information includes, but is not limited to:

  1. Personal Identifiable Information (PII)
  2. Financial account numbers
  3. Passwords
  4. Information that may have a derogative impact on Clark College, staff or students at Clark College
  5. Internal communications that may have a derogative impact on Clark College operations if sent to someone without a need to know
  6. Health-related information
  7. Any information deemed confidential, restricted or academically sensitive

Digital Content – Any type of content that exists in the form of digital data. Also known as digital media, digital content is stored on either digital or analog storage in specific formats. Forms of digital content include information that is digitally broadcast, streamed, or contained in computer files.

Electronic Communication Services – ECS most commonly refers to Email, but policies apply to any content or communication activity over any Clark College IT Resource. These include, but are not limited to, email, instant messaging, collaboration platforms (Microsoft SharePoint, Teams, Skype, Google Groups, Canvas) video streaming, video and web conferencing.

Email Header – In an email, the body (content text) is always preceded by header lines that identify particular routing information of the message – including the sender, recipient, date and subject. 

Inappropriate Content – inappropriate and prohibited digital content includes, but is not limited to:

  1. Content that is hateful, threatening, or otherwise disruptive to College's educational mission.
  2. Content not related to Clark College business, administration, pedagogical or instructional activity.
  3. Content that violates other college policies, guidelines or existing agreements. Refer to the college’s Nondiscrimination and Non-harassment Policy, the code of student conduct, the WPEA collective bargaining agreement and the AHE collective bargaining agreement for further defined areas of college and workplace behavior.  
  4. Philosophical, religious, or political dialogue, editorial opinion, or debate unless such communication can be directly attributed to required student course materials, assignments, or other pedagogical requirements.
  5. Content that violates or infringes on the rights of another person, including the right of privacy.
  6. Content that contains defamatory, false, inaccurate, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive or otherwise biased, discriminatory, or illegal material.
  7. Content that Introduces or spreads viruses or other malware on computers or the network.
  8. Chain letters or blanket email messages.
  9. Unsolicited email messages, including "junk mail" or other advertising material (email spam) to individuals who did not specifically request such material or opt in (by subscribing to a group address).
  10. Unsolicited email originating from within Clark College's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Clark College or connected via Clark College's network.
  11. The personal use of state resource must adhere to WAC 292-110-010.

ISP – Internet Service Provider (e.g., Comcast, CenturyLink).

IT Resource –  Information Technology resources are the property of Clark College and include, but are not limited to all network related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and  web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP (File Transfer Protocol). IT Resources include resources administered by IT, as well as those administered by individual departments, and other college-based entities.

Junk Mail – Advertising mail, email spam, the sending of unsolicited bulk messages, etc.

Malware – Short for “malicious software,” malware refers to software programs designed to damage or do other unwanted actions on a computer system. Common examples of malware include viruses, worms, Trojan horses, ransomware and spyware.

Spam – The use of electronic messaging systems to send an unsolicited message.

Third Party Services – Include, but is not limited to, personal ISPs, free email providers (Gmail, Yahoo, etc.), cloud-based collaboration and data storage providers (e.g., OneDrive, DropBox etc.), social media sites (e.g., Facebook, LinkedIn), etc. The security of third-party providers cannot be reasonably evaluated and guaranteed by Clark College.

Usenet newsgroup – A repository, usually within the Usenet system, for messages posted from many users in different locations. Despite the name, newsgroups are discussion groups, and are not devoted to publishing news.

User – Any person who makes any use of any Clark College IT resource from any location (whether authorized or not).

* 455.035 Electronic communication supersedes any prior posted policy, procedure and/or administrative procedure related to electronic communication by Clark College employees and its students.

Revised Policy/Procedure Approved by Executive Cabinet
February 9, 2021

March 16, 2021

455.045 NETWORK SECURITY

Introduction

The proliferation of information technologies, including the Internet, has created a myriad of opportunities and challenges for individuals and organizations that use these technologies. The potential for malicious mischief, damage to or loss of equipment or data, and loss of privacy dictate that prudent steps be taken to safeguard the information technology assets of the College. Network security cannot be achieved with technical solutions alone; the College relies on its students and employees to be active participants in achieving a security network environment.

Scope

This policy details the rules and expectations that apply to employees of Clark College and any other parties who have been authorized to use College network resources.

Statutory Authority

The provisions of RCW 43.105.041 detail the powers and duties of the Information Services Board (ISB), including the authority to develop statewide or interagency information services and technical policies, standards, and procedures. This policy is executed in accordance with the Washington State Department of Information Services Information Technology Security Standards.

Data Security

Many College employees, as a requirement of their job duties, have access to sensitive or confidential information.  It is of utmost importance that employees are aware of the laws and regulations governing the handling of sensitive or confidential data and that they take appropriate measures to safeguard any sensitive or confidential data with which they are entrusted.  Sensitive and confidential data are defined as follows:

  • Sensitive. This class includes data for which specific protections are required by law or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples of this class of data are people’s names in combination with any of the following…driver’s license numbers, date of birth, employee/student ID number (SID), and personal address, e-mail addresses, and telephone numbers.  Also included are student data protected under the Family Educational Rights and Privacy Act (FERPA).

  • Confidential. This class includes passwords, social security numbers (SSN), credit card numbers, expiration dates, PIN’s, and card security codes, financial profiles, bank routing numbers, medical records, and law enforcement records.

Data breaches resulting from employee errors or negligence can have serious financial implications and can damage the reputation of the College. Listed below are elements of information systems that pose data security risks and the corresponding College policy that addresses each element.

1. Passwords

Username and password combinations are the primary means of authenticating users of Clark College network resources and are an important element of the College’s security program.

Policy:  Where access to computing resources is protected by a personal password, no person shall divulge their password or allow others to use their password-protected account. Users shall take appropriate measures to safeguard their personal passwords to prevent unauthorized access to College computing resources.

In some cases, generic computer accounts are created and the username and password are intended to be shared by multiple users. These cases represent the only exceptions to this password policy.

2. E-mail

E-mail messages processed by the College e-mail system are not encrypted either in transport or storage.  It is possible for someone with the proper tools and sufficient access to the system to read the contents of an e-mail message. Therefore, the College e-mail system is not considered private and should not be used to communicate confidential information.

Policy: Clark College employees shall not use the College electronic mail system to communicate (internally or externally) or store confidential information.

3. Mobile Devices and Removable Storage Media

Mobile devices such as notebook computers and computer tablets, and removable storage media such as flash drives, CD’s or DVD’s, and portable hard disks are essential tools but these devices pose a significant risk to data security if used to store sensitive or confidential information. All data encryption should meet industry standards for secure data encryption. To further protect the data contained on laptops and tablets, all college owned laptops and computer tablets will have encrypted hard drives. Laptop and tablet users will be required to bring their college owned laptops to Information Technology Services once a year on a predesignated schedule to verify the encryption and update the laptop with all security patches and software updates as needed. Mobile device users will not attempt to disable security updates or hardware encryption.

Policy: Mobile computing equipment and removable storage media shall not be used to store or transport unencrypted confidential information. All college owned laptops and computer tablets will have their hard drives encrypted by Information Technology Services to limit data access in the event of a lost or stolen hard drive. College owned laptops and tablets will be returned to the Information Technology Services department once a year for encrypting and updating.

4. Databases

Database applications such as Microsoft Access are standard components of the College’s suite of office productivity software.  With a modest amount of training, database tools like Access can be used to create useful applications that increase office efficiency and productivity. However, if such a custom database, whether developed by an employee, a student, or an outside entity, is used to store sensitive or confidential information without sufficient access safeguards, there is a risk to data security.

Policy: No College employee shall purchase, develop, approve the development by others, or implement a database application that will be used to store sensitive or confidential information without the approval of the director of information technology services.

5. Application Service Providers

An Application Service Provider (ASP), sometimes called a “hosted service,” is a business that provides computer-based services to customers over a communications network. Typically, the ASP develops and maintains software applications, and supplies the servers, databases and communications equipment needed to deliver the service to the customer. The services of an ASP may be delivered over a private network but, more frequently, the Internet and the Web are used to collect and process customer information. The use of the Internet as a transport network provides ubiquitous access to the ASP’s application, but also poses significant data security risks.

Policy: No College employee shall purchase or utilize the services of an Application Service Provider where the ASP will collect, process or store sensitive or confidential information without the approval of the director of information technology services.

6. Hardcopy Data

Printouts and other hardcopy media containing sensitive or confidential data must be properly disposed of to prevent unauthorized access to the information. Faculty and staff must be particularly mindful of their obligation to safeguard student information protected under Family Educational Rights and Privacy Act (FERPA). Approved receptacles are provided in each campus building for the disposal of sensitive print documents.

Policy:  Clark College employees shall only use approved secure receptacles to discard print material containing sensitive or confidential information.

Connections to the Campus Network

Information Technology Services personnel are available to assist College employees with equipment installations and moves that require network connectivity. Employees who wish to install or move computers or other network-connected equipment should contact the Information Technology Services Help Desk before attempting to connect equipment to the network. An Information Technology Services technician will insure that the network device and jack are properly configured and that equipment inventory and network port records are appropriately updated. Temporarily disconnecting a networked computer and/or telephone to rearrange or clean an office does not require Information Technology Services assistance provided the user notes the original location of network and telephone cords.

Policy: No person shall connect any network device including hubs, switches, routers, network
printers, wireless access points, and network test and
measurement equipment to the Clark College network without the knowledge and prior approval of the network systems manager.

Faculty members who teach network technologies must coordinate their activities with the network systems manager to insure that instructional uses of the College network are secure and compatible with other network functions.

Web Servers and Internet Services

Internet services such as Web servers, mail servers, File transfer Protocol (FTP) servers, etc., pose a significant security risk to Clark College computing resources. It is essential that these services be properly deployed and maintained to minimize risk. Information Technology Services provides these services for the institution and, with the exception of certain instructional applications, there is no need or justification for employees to run Internet services on personal computers.

Policy: No person shall, without the prior written approval of the network systems manager, download, install and run a Web server on their office computer or any other computer connected to the College network. Furthermore, no other Internet accessible service, such as FTP, electronic mail, remote login (Telnet), etc., shall be downloaded, installed or maintained by any person on any computer connected to the College network.

Information Technology Services staff will, on a regular basis, perform network scans that will detect unauthorized Internet services running on the campus network. In the event unauthorized Internet services are discovered, ITS staff will, without prior notification, disable the network connection to the computer running the service. The employee responsible for the computer fund running unauthorized Internet services will be contacted and informed of the action taken. Network connectivity will not be restored until the unauthorized software is disabled or removed.

Wireless Network Access

Unauthorized wireless network transmission devices pose a significant risk to network security. Information Technology Services installs and maintains wireless equipment that is configured to insure an appropriate level of security. The placement of transmitters is critical to ensure adequate coverage while limiting the range of the transmitted signal to the intended coverage area.

Policy: No person shall connect a radio transmitter designed to broadcast network traffic (wireless access point or node) to the Clark College network without the express permission of the network systems manager.

Unauthorized wireless access points that are discovered on the College network will be disconnected from the network and confiscated.

Anti-Virus Software 

  • Windows Computers. The anti-virus software and virus definition files for windows computers are automatically updated from a central server.  This process is transparent to the user. Every network-connected Windows computer (except lab computers) is subjected to a full file scan each week.  Currently, this scan is initiated on Thursday at approximately 11:30 a.m. A window opens on the desktop informing the user that the scan is taking place. The user may minimize this window and continue working while the file scan proceeds. If the computer’s performance is being adversely affected, the user has the option to delay the scan for a period of one or three hours. The user has the ability to perform this “snooze” function up to three times after which the virus scan will be initiated.

  • Macintosh Computers. Macintosh computers have anti-virus software installed at the time the machine is initially set up. The anti-virus software is configured to access the anti-virus update server to check for updates to the software and virus definition files weekly. If updates are available, the software will be automatically downloaded and be installed on the machine. It is important that users not modify or attempt to disable this anti-virus update service.

Software Auto-Update Service

  • Windows Computers. Windows machines are configured to automatically check for critical updates on a local server via Microsoft Windows Server Update Services (WSUS). This process will download critical patches to the operating system and application software as they become available and are approved by the WSUS administrator. The Windows user is first notified that updates are available for downloading from the WSUS server by a flashing icon in the lower right hand corner of the screen.  It is important that users initiate the download process as soon as possible.  This usually takes less than a minute.  Next, the user is prompted to initiate the installation of the downloaded critical update on the computer.  Again, users are urged to initiate this process immediately and not defer it to a later time.  Lastly, in many cases users are prompted to reboot their machine so that the update process can take effect.  If you are involved in a project and do not want to be interrupted, you may defer this last step and the patch will be applied the next time you restart your machine (be sure to power down before you leave for the day). It is important that Windows users respond to the notification that critical updates are available. If you ignore the update notification or continue to defer the application of the update, you risk a potential attack on your computer and possible computers on the College network.
  • Macintosh Computers. Macintosh computers are configured to automatically check for updates weekly on an Apple software update server (XSUS). Operating system and application updates are tested and enabled by the XSUS administrator. The updates are automatically downloaded to the client computer and the user is notified of pending updates. Updates are applied when the computer is restarted. Users should restart their computers at the earliest opportunity.

Enforcement

Employees who intentionally violate the provisions of this policy are subject to disciplinary action in accordance with established College policy and/or negotiated agreements.

New Policy/Procedure Approved by Executive Cabinet
May 17, 2016

 

455.050 ACCESSIBLE TECHNOLOGY POLICY

Clark College values accessibility as outlined in our Strategic Plan and in accordance with federal and state laws and guidelines. Clark College is committed to providing accessible technology in its educational and administrative services, programs, and activities.  Ensuring equitable and effective electronic and information technology access is the responsibility of all college administrators, faculty, and staff. This policy applies to the procurement, development, use and implementation of all Clark College technologies and content. Clark College technology should provide substantially similar functionality, experience and information access to individuals with disabilities as it provides to others. Examples of technology covered by this policy include web sites, software systems, electronic documents, videos, student information systems, learning management tools, third party software platforms, and assessment tools.

Clark College is required to provide appropriate, effective, and integrated access to technology and electronic content for students, employees, and external community members. Clark College will follow Web Content Accessibility Guidelines 2.1 level AA accessibility guidelines and the most current guidelines per the Section 508 requirements. Clark College will maintain an accessibility plan identifying non-accessible technology, alternative methods of access, and actions taken to correct unresolved accessibility issues.

For guidelines on purchasing accessible technology, please reference Administrative Procedure 440.070.

The authority for this procedure is based upon the following federal and state statutes, policies and guidelines:

 

New Policy/Procedure Approved by Executive Cabinet
June 20, 2017
 
Revised Policy/Procedure Approved by Executive Cabinet
October 24, 2023