BP 8204 User Accounts and Passwords

Statement of Purpose

PCC provides many technology products and services to support the academic and administrative needs of the College. Individuals who use the College’s IT resources are expected to follow certain defined behaviors in order to minimize information security risk and protect the College and its constituents.

Protecting students, faculty and staff from the risk of identity theft or unauthorized disclosure of personal information is the primary goal of adopting the best practices described in this policy.

Users of computer systems use “credentials” to identify themselves in order to securely access their accounts and personal data. These credentials are usually in the form of a User-ID/Password pair, but can be other forms, such as a Social Security Number, G-Number, PIN, challenge question, etc.

This policy seeks to protect individual user’s rights and ensure that their personal data is secure by requiring adherence to best practices for the use of credentials and account access.

Third party, cloud-based systems (e.g.: Dropbox) pose a particular threat to PCC. PCC has no administrative control over these platforms. When cybercriminals breach these sites, they sell credentials and data to other hackers. If a user used their PCC credentials or has stored controlled sensitive data in these sites, hackers can then use those credentials to gain direct access to critical PCC systems and data.

Finally, it is important to point out that PCC cannot recover or restore data stored in third party systems, so Users must accept the risk of losing their data when using these services.

Scope Statement

All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT Resources are subject to this policy. This policy applies to use of all PCC owned and managed IT Resources, use of any computer or mobile device connected to a PCC network, all controlled sensitive data stored or transmitted using PCC IT Resources and all users of such data.

Policy Summary

Users of PCC IT resources shall comply with account and password management security best practices.

Policy

1. Users shall not share their passwords, or otherwise provide access to their PCC credentials, to another individual (see Exemptions).

2. Users shall not use their PCC credentials for personal purposes. When creating personal accounts with non-licensed websites (such as Facebook, Netflix, or Twitter) or other third party entities:
a. Users shall not use their PCC User-ID/Password pair as their account login to personal accounts.
b. Users shall not store controlled sensitive data in personal accounts.

3. Users with an academic or administrative need to access non-licensed websites or other third party entities shall:
a. Make best efforts not to use their PCC credentials.
b. Use a materially different password than their regular PCC password if there is a requirement to use a PCC User ID (e.g.: registering for a conference with PCC email address).
c. Make best efforts not to store controlled sensitive data in such sites.

4. Users shall not use another user’s PCC credentials, attempt to capture or guess another user’s PCC credentials, or otherwise attempt to access another user’s PCC account.

5. Users shall make a reasonable effort to protect their passwords and to secure IT resources against unauthorized use or access. Specifically, writing down passwords (even if stored out of public view) or storing in plain text in a computer file are violations of this policy.

6. PCC credentials and accounts are provided at the discretion of PCC and subject to the following terms of use:
a. PCC has a legal obligation to access and provide any data (personal or otherwise) stored on PCC systems requested as part of litigation (eDiscovery).
b. Authorized personnel may inspect any data transmitted or stored using IT resources. This includes equipment, files, and PCC email (see Exemptions).
c. Upon termination of electronic services, all user credentials shall be disabled and users shall no longer have access to the contents of their mailboxes or other PCC accounts.

7. PCC credentials and system accounts are provisioned based on user type:
a. Employee Accounts: Access to IT resources is provided only while a user is employed by PCC.
b. Student Accounts: Student email accounts shall be created at the time of admission and deactivated if any of the following criteria are met (Note: students are encouraged to backup important personal data to alternate storage media before inactivation):
i. Inactivation after two consecutive years of non-enrollment in a course for credit students,
ii. Inactivation after three consecutive years of non-enrollment for non-credit students, or
iii. Inactivation at the request of the student.
c. Affiliate Accounts: Individuals with a special relationship with PCC who are neither employed by, nor enrolled at PCC may be granted limited email privileges, including an email address, commensurate with the nature of their special relationship. PCC reserves the right to discontinue these privileges at any time.

Exemptions

1. If, in the course of their normal duties, a user is required to provide access to their personal accounts to another user, they shall use PCC-approved methods for granting “proxy” access (e.g.: nominating a proxy to approve timesheets if a supervisor is on vacation).

2. Monitoring of devices that are connected to the PCC network is for security and operational purposes only and is intended to protect the PCC network against potential threats that such devices may introduce to the network. PCC will not (and cannot) scan, or otherwise inspect, user data, user-installed programs, user activity, or any other personal/user information on personal devices connected to the PCC network.
a. Example: A faculty member connects to the PCC wireless network and sends an email using their personal email account. This is not discoverable by PCC IT.
b. Example: A student connects their smart phone to the PCC wireless network and does a banking transaction. This is not discoverable by PCC IT.
c. Example: PCC is required to perform eDiscovery for a legal case. Data stored on personal devices connected to the PCC wireless network (e.g. personal laptops, smart phones, etc.) or data stored in third party sites (e.g.: Dropbox) are not discoverable by PCC IT.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any user’s access rights (whether or not the user is suspected of any violation of this policy) when necessary to preserve the integrity of IT resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

None

Definitions

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Cloud Computing
A general term for the delivery of hosted computing services over the internet.

Cloud computing enables companies to consume a compute resource, such as a virtual machine (VM), storage, or an application, as a utility service.

PCC’s Google “G-Suite” environment (that supports gmail, Google Drive, etc.) is a Cloud service. The students’ PantherHub is another example of Cloud technology.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Credentials
In the context of authentication, the term “credential” refers to a key that uniquely identifies a user to a system. A credential is most commonly in the form of a “user name and password” authentication token that is bound to a particular user. Some other examples of credentials are biometric identifiers (e.g. thumbprint scan) and digital identification mechanisms such as smartcards and multi-factor authentication.

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Third Party
(In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

Information Technology Department

Last Revision Date

11-01-2019