INTERNET POLICY USE:

Internet use, on Company time, is authorized to conduct Company business only. Internet use
brings the possibility of breaches to the security of confidential Company information. Internet
use also creates the possibility of contamination to our system via viruses or spyware. Spyware
allows unauthorized people, outside the Company, potential access to Company passwords and
other confidential information.
Removing such programs from the Company network requires IT staff to invest time and
attention that is better devoted to progress. For this reason, and to assure the use of work time
appropriately for work, we ask staff members to limit Internet use.
Additionally, under no circumstances may Company computers or other electronic equipment be
used to obtain, view, or reach any pornographic, or otherwise immoral, unethical, or non-
business-related Internet sites. Doing so can lead to disciplinary action up to and including
termination of employment.
EXTERNAL DEVICE USE POLICY:
Access Control: ITD reserves the right to refuse, by physical and non-physical means, the ability
to connect mobile devices to college-connected infrastructure. ITD will engage in such action if
it feels such equipment is being used in such a way that puts the companys systems, data, users,
or students at risk.
Prior to initial use on the college network or related infrastructure, all mobile devices must be
registered with ITD. ITD will maintain a list of approved mobile devices and related software
applications and utilities, and it will be stored at the Company Website.
Devices that are not on this list may not be connected to college infrastructure. If your preferred
device does not appear on this list, contact the help desk. Although ITD currently allows only
listed devices to be connected to enterprise infrastructure, it reserves the right to update this list
at any time.
End users who wish to connect such devices to non-college network infrastructure to gain access
to enterprise data must employ, for their devices and related infrastructure, a company-approved


personal firewall and any other security measure deemed necessary by the ITD. Enterprise data
is not to be accessed on any hardware that fails to meet The Companys established college
Information Technology security standards.
All mobile devices attempting to connect to the college network through an unmanaged network
(i.e. the Internet) will be inspected using technology centrally managed by ITD. Devices that
have not been previously approved by ITD are not in compliance with ITDs security policies, or
represent any threat to the college network or data will not be allowed to connect. Laptop
computers or personal PCs may only access the college network and data using a Secure Socket
Layer (SSL) Virtual Private Network (VPN) connection. The SSL VPN portal Web address will
be provided to users as required. Smart mobile devices such as smartphones, PDAs, and UMPCs
will access the company network and data using Mobile SSL or VPN software installed on the
device by ITD.
Security: Employees using mobile devices and related software for network and data access will,
without exception, use secure data management procedures. All mobile devices must be
protected by a strong password, and all data stored on the device must be encrypted using strong
encryption. See the ITDs password policy for additional background. Employees agree to never
disclose their passwords to anyone, particularly to family members if business work is conducted
from home.
All users of mobile devices must employ reasonable physical security measures. End users are
expected to secure all such devices used for this activity whether or not they are actually in use
and/or being carried. This includes, but is not limited to, passwords, encryption, and physical
control of such devices whenever they contain college data. Any non-company computers used
to synchronize with these devices will have installed antivirus and anti-malware software
deemed necessary by ITD Anti-virus signature files on any additional client machines such as a
home PC on which this media will be accessed, must be up-to-date.
Passwords and other confidential data as defined by ITD are not to be stored unencrypted on
mobile devices.
Any mobile device that is being used to store The Company data must adhere to the
authentication requirements of the ITD. In addition, all hardware security configurations


(personal or company-owned) must be pre-approved by ITD before any enterprise data-carrying
device can be connected to it.
ITD will manage security policies, network, application, and data access centrally using
whatever technology solutions it deems suitable. Any attempt to contravene or bypass said
security implementation will be deemed an intrusion attempt and will be dealt with in accordance
with The Companys overarching security policy.
Employees, contractors, and temporary staff will follow all enterprise-sanctioned data removal
procedures to permanently erase company-specific data from such devices once their use is no
longer required. See Company Website for detailed data wipe procedures for mobile devices.
This includes the discarding of the device itself. Any device that has been discarded, sold,
transferred or no longer used by the user must have all company-specific data erased in
accordance with the procedures referenced in this paragraph.
In the event of a lost or stolen mobile device it is incumbent on the user to report this to IT
immediately. The device will be remotely wiped of all data and locked to prevent access by
anyone other than ITD. If the device is recovered, it can be submitted to ITD for reprovisioning.
Help & Support: ITD will support its sanctioned hardware and software, but is not accountable
for conflicts or problems caused by the use of unsanctioned media, hardware, or software. This
applies even to devices already known to the ITD.
Employees, contractors, and temporary staff will make no modifications of any kind to
company-owned and installed hardware or software without the express approval of ITD. This
includes, but is not limited to, any reconfiguration of the mobile device.
ITD reserves the right, through policy enforcement and any other means it deems necessary, to
limit the ability of end users to transfer data to and from specific resources on the enterprise
network.
Organizational Protocol: ITD can and will establish audit trails and these will be accessed,
published, and used without notice. Such audit trails will be able to track the attachment of an
external device to a PC, and the resulting reports may be used for investigation of possible
breaches and/or misuse. The end user agrees to and accepts that his or her access and/or


connection to The Companys networks may be monitored to record dates, times, duration of
access, etc., in order to identify unusual usage patterns or other suspicious activity. This is done
in order to identify accounts/computers that may have been compromised by external parties. In
all cases, data protection remains the Companys highest priority.
The end user agrees to immediately report to his/her manager and the ITD any incident or
suspected incidents of unauthorized data access, data loss, and/or disclosure of company
resources, databases, networks, etc.
The Company will not reimburse employees if they choose to purchase their own mobile
devices. Users will not be allowed to expense mobile network usage costs.
Every mobile device user will be entitled to a training session around this policy. While a mobile
device user will not be granted access to college resources using a mobile device without
accepting the terms and conditions of this policy, employees are entitled to decline signing this
policy if they do not understand the policy or are uncomfortable with its contents.
Any questions relating to this policy should be directed to the Director of Technology.
Privacy Rights: Users of mobile devices have no reasonable expectation of privacy in any
business related data on that device, regardless of whether the device is owned by the user,
except as otherwise provided by applicable privacy laws.
Business related data sent on a mobile device, regardless of whether the device is owned by the
user, may be considered public record and may be subject to disclosure pursuant to applicable
laws, court orders or subpoenas, without the users consent.
Company Identification (ID) Policy:
Step 1: Announce your new or updated ID badge policy by email to anyone who manages
employees in your business. In the email, explain the reason for the new policy and attach a copy
of it for review. If you're using badges for the first time, or the appearance of an existing badge
has changed, attach images of the badge for review.
Step 2: Set up a meeting with your management staff to respond to any questions they have
about the policy before releasing it to the rest of your employees.


Step 3: Demonstrate the appropriate way to display the ID badge. For example, on a belt clip or
lanyard with the employee's photo facing outward. If the badge doubles as a door access card and
has a magnetic strip or radio frequency identification (RFID) chip, demonstrate the appropriate
way to swipe or scan the card. In addition, demonstrate the correct procedure to request
assistance to enter the building if the card is misplaced, lost, forgotten or doesn't work.
Step 4: Discuss any challenges that the policy presents and ways to work around them.
Challenges could include ways to sanction employees who neglect to wear the ID badge or
alternatives for those who perform work duties that make wearing the badge difficult or unsafe.
Step 5: Work with your managers to create a plan to inform the rest of your employees about the
new policy. Use your method of informing them of the new policy as an example of the format
you want them to use and discuss additional ideas such as posting the new policy announcement
on a break room bulletin board. In addition, ask your managers to select a meeting method --
small groups or in one large group -- that they feel will make it easier for them to inform the
other employees, provide training and answer questions.
Step 6: Set a date to announce the new ID badge policy by email and on bulletin boards. In
addition, set a date to formally roll out the policy to your remaining employees.
Computer Use Policy
The Company owns the rights to all data and files in any computer, network, or other
information system used in the Company and to all data and files sent or received using any
company system or using the Company's access to any computer network, to the extent that such
rights are not superseded by applicable laws relating to intellectual property. The Company also
reserves the right to monitor electronic mail messages (including personal/private/instant
messaging systems) and their content, as well as any and all use by employees of the Internet and
of computer equipment used to create, view, or access e-mail and Internet content. Employees
must be aware that the electronic mail messages sent and received using Company equipment or
Company-provided Internet access, including web-based messaging systems used with such
systems or access, are not private and are subject to viewing, downloading, inspection, release,
and archiving by Company officials at all times. The Company has the right to inspect any and
all files stored in private areas of the network or on individual computers or storage media in


order to assure compliance with Company policies and state and federal laws. No employee may
access another employee's computer, computer files, or electronic mail messages without prior
authorization from either the employee or an appropriate Company official.