Overview

The Information Technology (IT) department is committed to protecting Quincy College's employees, students, and systems from illegal or damaging actions while maintaining a culture of openness, trust, and integrity. All IT systems and data are the property of Quincy College and should be used for purposes aligned with the College's mission and business interests.

Purpose

This policy outlines the acceptable use of computer equipment to protect students, employees, and Quincy College from risks such as cyber threats, data breaches, virus attacks, network compromise, and legal issues.

Scope

This policy applies to all employees, contractors, consultants, temporary workers, and other affiliates using Quincy College's electronic and computing devices and network resources. It covers all equipment owned or leased by Quincy College.

Policy

1. General Use and Ownership

  • Quincy College proprietary information stored on electronic and computing devices remains the property of Quincy College.
  • Report any theft, loss, or unauthorized disclosure of proprietary information immediately.
  • Access, use, or share proprietary information only to fulfill job duties.
  • College environment to only include Windows or Mac based operating systems support. 

2. Security and Proprietary Information

  • Comply with the Minimum Access Policy for all mobile and computing devices.
  • Use strong, unique passwords that comply with the Password Policy.
  • Lock screens or log off when devices are unattended.
  • Use caution when opening email attachments from unknown senders or clicking on unknown links.
  • Regularly update software and systems to protect against vulnerabilities.

3. Unacceptable Use

  • Activities that are prohibited include, but are not limited to:
    • Violating copyright laws and software licensing agreements.
    • Engaging in illegal activities or those that may harm the college’s reputation.
    • Unauthorized access to or use of the college’s network and systems.
    • Using the college’s resources for personal gain or commercial purposes not related to Quincy College.

4. Data Protection

  • Follow data classification standards to ensure the confidentiality, integrity, and availability of data.
  • Sensitive and restricted data must be encrypted both in transit and at rest.
  • Implement multi-factor authentication (MFA) where possible to enhance security.
  • Regularly back up important data and verify the integrity of those backups.

5. Monitoring and Enforcement

  • Quincy College may monitor equipment, systems, and network traffic to ensure compliance with this policy.
  • Violations may result in disciplinary action, including termination of employment or legal action.

Section 9.10.1: Multi-Factor Authentication (MFA)

Policy Statement:

All users must utilize Multi-Factor Authentication (MFA) for accessing college systems, applications, and data. MFA is mandatory for remote access, privileged accounts, and sensitive data.

Procedures:

  • Implement MFA solutions supporting SMS, app-based, and biometric authentication.
  • Regularly update MFA configurations.
  • Educate users on MFA importance.

Section 9.10.2: Patch Management

Policy Statement:

The college shall establish and maintain a comprehensive patch management program to ensure all software and systems are promptly updated with security patches.

Procedures:

  • Conduct regular vulnerability scans.
  • Prioritize and deploy patches based on risk.
  • Test patches in a controlled environment before deployment.

Section 9.10.3: Backup Procedures

Policy Statement:

The college shall implement a comprehensive backup strategy, ensuring regular backups, secure storage, and routine testing of backup data.

Procedures:

  • Follow the 3-2-1 backup rule (3 copies, 2 types of storage, 1 off-site).
  • Encrypt backup data.
  • Regularly test backup restorations.

Section 9.10.4: Incident Response Plan

Policy Statement:

The college shall develop, maintain, and regularly test an incident response plan to address security incidents effectively.

Procedures:

  • Conduct regular incident response drills.
  • Establish a dedicated incident response team.
  • Align incident response plans with organizational policies and regulatory requirements.

Section 9.10.5: Password Policies

Policy Statement:

The college shall enforce strong password policies, requiring complex passwords and regular password changes.

Procedures:

  • Utilize password managers for generating and storing strong passwords.
  • Implement account lockout mechanisms after repeated failed login attempts.
  • Educate users on password best practices.

Section 9.10.6: Security Awareness Training

Policy Statement:

All employees must undergo regular security awareness training to stay informed about the latest threats and security practices.

Procedures:

  • Use interactive and engaging training methods.
  • Include practical exercises like phishing simulations.
  • Update training content based on emerging threats.

Section 9.10.7: Network Segmentation

Policy Statement:

The college shall segment its network to limit access to sensitive data and systems based on the principle of least privilege.

Procedures:

  • Implement VLANs and subnets to segregate network areas.
  • Use ACLs and firewalls to enforce segmentation.
  • Regularly review and update network segmentation policies.

Section 9.10.8: Network Device Configuration

Policy Statement:

All network devices must be securely configured according to established guidelines and regularly reviewed for compliance.

Procedures:

  • Disable unnecessary services and ports.
  • Apply the principle of least privilege for network device access.
  • Use configuration management tools to automate secure configurations.

Section 9.10.9: Data Encryption

Policy Statement:

The college shall ensure all sensitive data is encrypted both at rest and in transit using strong encryption standards.

Procedures:

  • Use AES-256 for data at rest and TLS 1.2 or higher for data in transit.
  • Implement key management practices to secure encryption keys.
  • Regularly review and update encryption protocols.

Section 9.10.10: Physical Security Controls

Policy Statement:

The college shall implement physical security measures to protect critical infrastructure and sensitive data from unauthorized access.

Procedures:

  • Use access control systems (e.g., badges, biometrics) for secure areas.
  • Install surveillance cameras to monitor key locations.
  • Conduct regular physical security audits.

Section 9.10.11: Regulatory Compliance

Policy Statement:

The college shall ensure compliance with all relevant regulatory requirements and industry standards.

Procedures:

  • Conduct regular compliance audits and assessments.
  • Implement policies and procedures to address regulatory requirements.
  • Stay informed about regulatory changes and update policies accordingly.

Section 9.10.12: Logging and Monitoring

Policy Statement:

The college shall implement comprehensive logging and monitoring practices to detect and respond to security incidents.

Procedures:

  • Use centralized logging solutions (e.g., SIEM) to collect and analyze logs.
  • Set up alerts for suspicious activities and anomalies.
  • Regularly review log data to identify potential threats.

Section 9.10.13: Administrative Privileges

Policy Statement:

Administrative privileges must be limited to only those users who need them for their roles and responsibilities.

Procedures:

  • Implement role-based access control (RBAC).
  • Use privileged access management (PAM) solutions.
  • Regularly review and update administrative access permissions.

Section 9.10.14: Third-Party Risk Management

Policy Statement:

The college shall establish a third-party risk management program to assess and mitigate risks posed by vendors and partners.

Procedures:

  • Conduct due diligence and risk assessments for all third-party vendors.
  • Include security requirements in contracts and SLAs.
  • Monitor third-party compliance with security policies.

Section 9.10.15: Change Management

Policy Statement:

The college shall implement a structured change management process to ensure changes are assessed, approved, and documented.

Procedures:

  • Use change management tools (JIRA) to track and manage changes.
  • Conduct impact assessments for all proposed changes.
  • Implement a rollback plan for changes that fail or cause issues.

Original: October 1999

Revised: January 2017; August 2021; July 2024