The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.
All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it. In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).
Every Bellevue College employee should understand:
1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared.
In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.
Individuals should also never allow anyone else to use a computer into which they’ve logged-in. This is not only a security risk for the network, it is an individual identity protection measure as well. If someone else is logged in as you, everything they may do online appears to be your doing.
2- Bellevue College policies require that employees secure their workstations if they leave the immediate area
This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.
3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections.
Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.
- Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts. The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially data stored on college laptop computers, is of the highest concern at all times.
4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.
This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation). In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.
A significant aspect of the public nature of college electronic communication is the use of e-mail. All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper.
5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.
The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!
In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.
Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply. In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.
These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees. If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.