BP 8203 Restricted Access and Malicious Behavior

Statement of Purpose

PCC provides many technology products and services to support the academic and administrative needs of the College. Individuals who use the College’s IT resources are expected to follow certain defined behaviors in order to minimize information security risk and protect the College and its constituents.

Protecting students, faculty and staff from the risk of identity theft or unauthorized disclosure of personal information is the primary goal of adopting the best practices described in this policy.

The primary responsibility of PCC’s IT department is to ensure the integrity, availability, and performance of technology services required to support the academic and administrative needs of the College. Any interference with the operation of IT resources may degrade our students’ learning experience, as well as result in disruption of services and/or compromise of sensitive systems and data.

This policy prohibits the use of, or interference with IT resources for purposes other than their designated purpose.

Please note that attempts at such access are generally intentional and use specialized technologies or involve behaviors that are not required for normal access to services. This policy does not apply to the normal use of PCC’s technology services for designated purposes.

Scope Statement

All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT resources are subject to this policy. This policy applies to use of all PCC owned and managed IT resources, use of any computer or mobile device connected to a PCC network, all controlled sensitive data stored or transmitted using PCC IT resources and all users of such data.

Policy Summary

Users of PCC IT resources shall only use these resources for their designated purpose. Users shall not attempt to access restricted portions of the network or other core IT resources, attempt to monitor or interfere with network traffic, or intentionally engage in behaviors that could potentially cause harm to PCC network and systems availability or performance.

Policy

1. Users shall not access IT resources for any purpose other than to conduct normal and authorized academic or administrative activities.

2. Users shall not engage in malicious behavior, including but not limited to:
a. Installation of hardware devices or the development, download, or use of software or other methods with the intent to gain unauthorized access to IT resources, disrupt other computer or network users, or damage or degrade the performance, software, or hardware components of IT resources.
b. Introduction of malicious software into the network, or in any other way cause security breaches or disruptions of network communication.
c. Circumvention of user authentication or the security of any host, network, or account.
d. Interference with or denial of service to any user.

3. Users shall not: (see Exemptions)
a. Perform port scanning or security scanning.
b. Perform any network scanning

Exemptions

Authorized PCC IT staff or supervised affiliates may install specialized software and/or hardware and perform network support and monitoring activities as necessary in the normal course of work.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any user’s access rights (whether or not the user is suspected of any violation of this policy) when necessary to preserve the integrity of IT resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

None

Definitions

Affiliate
Any person or entity that has been sponsored by a PCC manager to receive controlled temporary access to PCC services.

This is generally as a result of a contractual relationship with PCC. For example, an air conditioning vendor may require affiliate access to test the HVAC system. A consultant project manager may require affiliate access to access project plans on a PCC system.

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Denial of Service
A method of computer hacking that floods the Internet entry point(s) to an organization with fake messages, preventing valid messages from getting through.

An attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A Distributed Denial of Service (DDoS) attack is a type of DoS attack where multiple compromised systems, which are often infected with a Trojan horse, are used to target a single system.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Information Security Manager (ISM)
(aka Associate CISO) Manager of the PCC Information Security team, reporting to the CIO and/or CISO.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Port Scanner
An application designed to probe a server or host for open ports.

This is often used by administrators to verify security policies of their networks and by attackers to identify services running on a host and exploit vulnerabilities.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

Information Technology Department

Last Revision Date

(not applicable to this policy)