BP 8205 Monitoring and Auditing IT Resources

Statement of Purpose

PCC provides many technology products and services to support the academic and administrative needs of the College. Individuals who use the College’s IT resources are expected to follow certain defined behaviors in order to minimize information security risk and protect the College and its constituents.

Protecting students, faculty and staff from the risk of identity theft or unauthorized disclosure of personal information is the primary goal of adopting the best practices described in this policy.

This policy enables PCC IT staff to perform key operational and maintenance tasks, manage information security, and respond to legal requests.

In order to ensure availability and performance of IT services, PCC IT staff continually monitor the PCC network. This is critical to identify issues (e.g.: failed hardware), trends (e.g.: reaching critical capacity thresholds), identify anomalies and malware (e.g.: isolating a virus infection), and general network and server tuning.

In order to respond to authorized requests for information, PCC IT staff need the ability to perform targeted monitoring and/or inspection of data stored on IT resources.

Scope Statement

All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT resources are subject to this policy. This policy applies to use of all PCC owned and managed IT resources, use of any computer or mobile device connected to a PCC network, all controlled sensitive data stored or transmitted using PCC IT resources and all users of such data.

Policy Summary

Authorized PCC IT Department employees shall monitor and audit PCC IT resources without restriction.

Policy

1. Authorized PCC employees may access, monitor, and audit equipment, systems, networks, network traffic, and specific usage and/or data without restriction.

2. Authorized PCC employees may access PCC electronic communications files (typically PCC email) to maintain system integrity, investigate security or abuse incidents, meet the legal requirements of a subpoena or warrant, or investigate violations of this or other College policies.
a. Access shall be on an “as needed” basis.
b. Access may occur without prior notice.
c. Accessed data shall only be disclosed to those individuals with a “need to know,” or as required by law.

3. Any faculty or staff member may request a review of PCC electronic communications files (typically PCC email) to determine whether there have been any breaches of security, violations of PCC policy, or breaches of duty by employees, students, or other users.

4. The Chief Information Officer (CIO) approves specific faculty or staff requests after reviewing with HR, VP Student Affairs, VP Academic Affairs, or other College administrators as appropriate.

Exemptions

Monitoring of devices that are connected to the PCC network is for security and operational purposes only and is intended to protect the PCC network against potential threats that such devices may introduce to the network. PCC will not (and cannot) scan, or otherwise inspect, user data, user-installed programs, user activity, or any other personal/user information on personal devices connected to the PCC network.
a. Example: A faculty member connects to the PCC wireless network and sends an email using their personal email account. This is not discoverable by PCC IT.
b. Example: A student connects their smart phone to the PCC wireless network and does a banking transaction. This is not discoverable by PCC IT.
c. Example: PCC is required to perform eDiscovery for a legal case. Data stored on personal devices connected to the PCC wireless network (e.g. personal laptops, smart phones, etc.) or data stored in third party sites (e.g.: Dropbox) are not discoverable by PCC IT.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

None

Definitions

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Data Breach
Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Malware
Short for “malicious software,” malware refers to software programs designed to damage or do other unwanted actions on a computer system. Common examples of malware include viruses, worms, Trojan horses, and spyware.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Server
Hardware: a powerful computer designed for running enterprise applications, usually located in a datacenter.

Software: a computer program that accepts and responds to requests made by another program (known as a Client).

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Virus
(In IT) A type of malicious software program (“malware”).

When executed, a virus replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include data files, memory resident code, or the “boot” sector of the hard drive.

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

Information Technology Department

Last Revision Date

11-01-2019