BP 8110 Personal Network Devices

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

Information Security is not only about protection of data from theft, but also seeks to ensure availability and access to data to authorized users when needed.

Personal network devices are computing devices that create unauthorized network extensions such as network hubs, hot spots and routers. These devices interfere with the normal functioning of PCC’s enterprise network architecture. In the past, they have resulted in district-wide network outages. This policy seeks to prevent the insertion of unauthorized network devices into the PCC network.

Scope Statement

This policy only applies to devices designed to extend a network – personal computing devices such as laptops, tablets, and smart phones are out of scope.

This policy applies to connectivity to any part of the PCC network, whether wired, wireless, or guest. All Portland Community College (PCC) employees, students, and affiliates that create, use, maintain, or handle PCC IT resources are subject to this policy. Accountable and responsible individuals are the IT operational support personnel.

Policy Summary

Network Extension Devices (NED) shall only be deployed on Portland Community College (PCC) networks with prior written approval of the Director of Infrastructure Services. Approved devices shall comply with PCC networking standards and all applicable information security policies.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

1. The Director of Infrastructure Services shall explicitly approve any use or deployment of NEDs. Requests and approvals must be documented on a change ticket.

2. Approved devices shall comply with PCC networking standards, shall be compatable with PCC network architecture.

3. Approved devices shall support authentication mechanisms that comply with currently defined policies and procedures for PCC devices. Where possible, such devices shall be integrated into the current PCC authentication systems. User authentication requirements for NEDs shall not be less strict than currently defined policies and procedures (e.g., complex passwords, password change interval, etc.).

4. All remote access to the PCC networks using NEDs shall be authenticated via a strong authentication scheme in accordance with PPC System Configuration policy: Remote Access.

5. All approved NEDs shall be inventoried. All approved users of these technologies shall be recorded.

6. All NEDs shall be labeled to include the device owner, the owner’s contact information, and the device’s purpose.

7. Acceptable use of NEDs is subject to the same guidelines and restrictions put forth in the PCC Acceptable Use Policies.

8. Permitted Locations – The NSM and ISM shall authorize the placement of any NED. Wireless access points are normally placed in/on the ceiling plenum. The use of these devices must be logged.

9. Session Connectivity shall be in accordance with PCC System Configuration policy.

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Director of Infrastructure Services

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Authentication
Any process by which a system verifies the identity of a user who wishes to access it.

Since access control is normally based on the identity of the user who requests access to a resource, authentication is essential to effective security. For example, when someone logs into myPCC, the user-ID and password entered authenticates that the person logging in is the owner of the account.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Information Security Manager (ISM)
(aka Associate CISO) Manager of the PCC Information Security team, reporting to the CIO and/or CISO.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Router
A networking device that forwards data packets between computer networks.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Director of Infrastructure Services

Responsible Office

IT Infrastructure Services

Last Revision Date

09-19-2019