BP 8201 IT Security and Encryption
Statement of purpose
PCC provides many technology products and services to support the academic and administrative needs of the College. Individuals who use the College’s IT resources are expected to follow certain defined behaviors in order to minimize information security risk and protect the College and its constituents.
Protecting students, faculty, and staff from the risk of identity theft or unauthorized disclosure of personal information is the primary goal of adopting the best practices described in this policy.
The purpose of this policy is to ensure that data is protected from unauthorized access, either physically (e.g.: preventing the theft of a laptop or USB drive), by using access controls (e.g.: locking computers when unattended), or by using encryption (e.g.: encrypting outbound emails using Virtru).
Scope statement
All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT resources are subject to this policy. This policy applies to use of all PCC owned and managed IT resources, use of any computer or mobile device connected to a PCC network, all controlled sensitive data stored or transmitted using PCC IT resources and all users of such data.
Policy summary
Users of PCC IT resources shall adhere to computer security and data encryption best practices.
Policy
- Users who manage or use IT resources shall protect them from unauthorized modification, disclosure, and destruction to the best of their ability.
- Users shall secure and lock, or log off, all unattended devices.
- Users shall not give others unauthorized access to resources that have been assigned to them.
- Users shall not leave mobile devices that contain controlled sensitive data unattended.
- Users shall report the loss of mobile devices, or any other media containing controlled sensitive data, immediately (or as soon as possible).
- Users shall use extreme caution when opening attachments in email or text messages (or other electronic files) received from unknown senders.
- Users shall only use encryption approved and provisioned by PCC to store or transmit controlled sensitive data.
- When sending emails containing controlled sensitive data from a pcc.edu email address to a non-pcc.edu email address, faculty and staff shall use PCC email encryption services.
Visit the Virtru page on Spaces for instructions on how to install and use Virtru, or contact the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu.
Exemptions
None.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO) / Chief Information Security Officer (CISO).
Policy violation
- Violation of this policy may result in disciplinary action in accordance with PCC People, Strategy, Equity and Culture (PSEC) and/or Student Conduct guidelines.
- PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
- Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
- PCC reserves the right to deactivate any user’s access rights (whether or not the user is suspected of any violation of this policy) when necessary to preserve the integrity of IT resources.
Complaint procedures
Report non-security-related violations (such as receipt of inappropriate content, other People, Strategy, Equity and Culture (PSEC) policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, PSEC, or EthicsPoint.
Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.
Governing standards, policies, and guidelines
None.
Definitions
- Affiliate
Any person or entity that has been sponsored by a PCC manager to receive controlled temporary access to PCC services.- This is generally as a result of a contractual relationship with PCC. For example, an air conditioning vendor may require affiliate access to test the HVAC system. A consultant project manager may require affiliate access to access project plans on a PCC system.
- Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.- At PCC, the CIO is responsible for all technology, with the exception of:
- Online Learning (Academic Affairs)
- Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
- Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
- At PCC, the CIO is responsible for all technology, with the exception of:
- Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC. - Encryption
The process of converting data to an unrecognizable or “encrypted” form.- Encryption is commonly used to protect sensitive information so that only authorized parties can view it.
- IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.- IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
- Network
(In IT) The technology that carries messages between one computer and another.- A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.
- End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.
- The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).
- USB “Thumb” Drive
A portable data storage device that includes flash memory. Has a USB connector that plugs into the USB socket on a computer. - User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).
Responsible executive
Chief Information Officer
Responsible officer
Chief Information Officer (CIO), Chief Information Security Officer (CISO)
Responsible office
Information Technology Department
Last revision date
09-09-2024