SCEC Acceptable Use Policy

1.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at SCEC. These rules are in place to protect the students, teachers, employees and users of the SCEC network and SCEC itself. Inappropriate use exposes SCEC to risks including virus attacks, compromise of network systems and services, disclosure of student and/or administrative information and legal issues.

2.0 Scope

This policy applies to teachers, students, employees, contractors, consultants, temporaries, and other workers at SCEC, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by SCEC and also any devices that are attached to the SCEC network in any way.

3.0 Policy

3.1 General Use and Ownership

While SCEC's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on any SCEC systems remains the property of SCEC. Because of the need to secure SCEC's network, the confidentiality of information stored on any network device belonging to SCEC cannot be guaranteed.
Users are responsible for exercising good judgment regarding the reasonableness of personal use. Any activity that causes downtime on that users desktop or the network in general is prohibited.
For security and network maintenance purposes, authorized individuals within SCEC IT will monitor equipment, systems and network traffic at any time.
SCEC reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

3.2 Security and Proprietary Information

Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.
All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host will be unattended.
All systems that are connected to the SCEC Internet/Intranet/Extranet, whether owned by a third party or SCEC, shall be continually executing approved virus-scanning software with a current virus database.
Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code. Users should contact SCEC IT if they unsure of how to handle a suspicious e-mail.
Users may not install or otherwise use Instant Messaging software other than that provided by SCEC IT. This includes, but is not limited to, Yahoo! Instant Messenger, AOL Instant Messenger (AIM) and MSN Instant Messenger.
Users may not install or otherwise use file-sharing software, also known as peer-to-peer (P2P) programs. This includes, but is not limited to, eDonkey, Limewire, Kazaa and Gnutella.

3.3. Unacceptable Use

The following activities are, in general, prohibited. Users who feel they need to be exempted from these restrictions during the course of their legitimate course of work should contact SCEC IT.

Under no circumstances is a user of the SCEC network authorized to engage in any activity that is illegal under local, state, federal or international law.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by SCEC.
Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which SCEC or the end user does not have an active license is strictly prohibited.
Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal.
Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing use of your account by others.
Using a SCEC computing asset to actively engage in procuring or transmitting material that could be considered sexual harassment or hostile towards another user.
Making fraudulent offers of products, items, or services originating from any SCEC account.
Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
Port scanning or security scanning is expressly prohibited.
Executing any form of network monitoring which will intercept data not intended for the user's host.
Circumventing user authentication or security of any host, network or account.
Interfering with or denying service to any user other than the user's host (for example, denial of service attack).
Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
Providing information about, or lists of, SCEC employees, students or users to parties outside SCEC.

Email and Communications Activities

Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (spam).
Any form of harassment via email, instant messaging, telephone or paging, whether through language, frequency, or size of messages.
Unauthorized use, or forging, of email header information.
Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
Instant Messenger programs, other than those installed by SCEC IT, are strictly prohibited.
Use of peer-to-peer (P2P, also known as file sharing) software packages, such as Kazaa, Limewire, eDonkey, etc. is prohibited.

4.0 Enforcement

Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

SCEC Email Use Policy

1.0 Purpose

To prevent disclosure of Student and/or Administrative information, tarnishing the public image of School City East Chicago (SCEC) and ensure a safe computing environment for all SCEC users.

2.0 Scope

This policy covers appropriate use of any email sent from a SCEC email address or any email sent using a SCEC computing device and applies to all teachers, employees, students, vendors, and agents operating on behalf of SCEC. Email is defined as any form of electronic mail sent to any ecps.org account.

3.0 Policy

3.1 Prohibited Use. The SCEC email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Any user who receives an email with this content from any SCEC user should report the matter to SCEC IT immediately.

Also prohibited is: creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type; any form of harassment via email, instant messaging, telephone or paging, whether through language, frequency, or size of messages.

SCEC IT only supports the Groupwise email client. Any other email client application is not supported by SCEC IT and should not be used on the SCEC network.

Users may not install or otherwise use Instant Messaging software other than that provided by SCEC IT. This includes, but is not limited to, Yahoo! Instant Messenger, AOL Instant Messenger (AIM) and MSN Instant Messenger.

3.2 Personal Use.

Using a reasonable amount of SCEC resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Virus or other malware warnings and mass mailings from SCEC shall be approved by SCEC IT before sending. These restrictions also apply to the forwarding of mail received by a SCEC employee.

3.3 Monitoring

SCEC users shall have no expectation of privacy in anything they store, send or receive on the SCEC email system. To ensure compliance, SCEC routinely monitors e-mail messages for content without prior notice to the user. However, SCEC is not obliged to monitor email messages.

3.4 Mass Mailing

Under no circumstances should a SCEC user participate in mass e-mailings. This includes bulk messages in which the user does not have a personal relationship with the recipient. E-mail messages should be limited to a reasonable number of recipients.

3.4 Retention

SCEC systems will retain email messages for the period of one month following arrival of the message onto SCEC servers. After this time, the email messages will automatically be removed. Any important information contained in an email message should be copied out of the email system.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

SCEC Incident Reporting Policy

1.0 Purpose

The purpose of this policy is to clearly define what steps are to be taken if a security compromise is suspected.

2.0 Scope

This policy applies to all SCEC staff, any vendors working on their behalf, and any third parties who are servicing SCEC IT operations or working with in the SCEC organization.

3.0 Policy

3.1 Reportable Incidents

A reportable incident is anything that may compromise sensitive SCEC information. Sensitive Information is any information related to a student or any other information that is not public knowledge. This includes information related to, but is not limited to, insurance, health, financial, investment, criminal history, demographic and grades.

A Reportable Incident is anything that is observed that may cause this information to be compromised or that seems outside of normal business practices. This would include things such as suspicious or unknown individuals using office resources, phone calls asking for sensitive information without proper identification, signs of forced access into a room, office, filing cabinet, etc.

3.2 Reporting Process

Any individual who has knowledge of a Reportable Incident should contact the Director of Technology at 391-4100 immediately.

4.0 Enforcement

Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Password Policy

1.0 Overview

Passwords are one of the most important aspects of information security. A poorly chosen password can lead to the compromise of sensitive information, such as Student Information. All School City East Chicago (SCEC) employees (including contractors and vendors with access to SCEC systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all users who have an SCEC password for any system or device.

4.0 Policy

· All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a semi-annual basis.

· All user-level passwords for desktop computers must be changed at least every semester. After each semester, users that have not changed their password will be forced by the appropriate system.

· Passwords must not be inserted into email messages or other forms of electronic communication such as Instant Messaging. Password also must not be written down in an obvious or predictable place.

· All user-level and system-level passwords must conform to the guidelines described below.

4.1 Guidelines

A. General Password Construction Guidelines

STRONG passwords have the following characteristics:

· Contain both upper and lower case characters (e.g., a-z, A-Z)

· Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

· Are at least eight alphanumeric characters long.

· Are not a word in any language, slang, dialect, jargon, etc.

· Are not based on personal information, names of family, etc.

· Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

NOTE: Do not use these examples as passwords!

POORLY chosen passwords have the following characteristics and therefore should not be used on the SCEC network:

· The password contains less than eight characters

· The password is a word found in a dictionary (English or foreign)

· The password is a common usage word such as:

o Names of family, pets, friends, co-workers, fantasy characters, etc.

o Computer terms and names, commands, sites, companies, hardware, software.

o The words "East Chicago", "SCEC", "EastChic" or any derivation.

o Birthdays and other personal information such as addresses and phone numbers.

o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

o Any of the above spelled backwards.

o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

B. Password Protection

Do not use your SCEC passwords on any other system such as Yahoo Mail, E-bay or your personal banking website.

Do not share SCEC passwords with anyone under any circumstances. This includes administrative assistants, teachers, SCEC IT staff, secretaries, even your supervisor!

If someone demands a password, contact the school technology coordinator immediately.

Do not use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger).

Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices).

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Software Usage Policy

1.0 Purpose

The purpose of this policy is to ensure that School City East Chicago (SCEC) follows all licensing agreements with software providers.

2.0 Scope

The scope of this policy is all software that runs on the SCEC network and/or is used by SCEC employee’s for work related functions.

3.0 Policy

Only software that has been legally purchased through the SCEC IT department is to be installed on the SCEC computers. This is to ensure licensing compliance.

Software downloaded from the Internet, such as Shareware, Freeware and demo versions are not to be installed on SCEC systems. Often times, this software has special licensing considerations when not used by an individual. Also, this software may have undesired effects on the SCEC network.

Copying of software media (CD, floppy disk, DVD, etc) by SCEC is prohibited unless expressly authorized by the SCEC IT department. On occasion, SCEC may engage in a licensing agreement with a software provider that will allow employee’s to copy and use specific software at home. This, however, is not common and must be explicitly authorized by SCEC IT.

Installation of software licensed/owner by SCEC is not to be installed on home computers. If an employee wishes to do SCEC work from home and believes that software used by SCEC is necessary, a request should be made to the SCEC IT department. Installation of SCEC licensed/owned software on home computers is illegal unless specifically allowed by the software publisher.

Hacking “tools” such as port scanners, network mappers, penetration testers and other such software are not allowed on the SCEC network. These software packages can cause unexpected behavior on the network and are prohibited.

All purchases of textbooks that include software that is to be installed on the SCEC network must be submitted to the SCEC IT department prior to purchase. Installation of new software is done quarterly and textbook software will be installed in the next quarter.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.