IT Policies

Acceptable Usage Policy for Computing and Network Resources

General

1. Catawba College, within the scope of its operations, provides computer resources to authorized users only.
2. Any person using Catawba College computing or network resources must abide by this Acceptable Usage Policy.

Authorized Users

1. Faculty, staff, trustees, enrolled students, alumni, approved vendors/contractors, and employees that leave in good standing may be authorized to utilize College computer resources. Under special circumstances, members of the general public may be so authorized with the prior consent of the Chief Information Officer.
2. Each authorized user of the system will be provided a distinct username and password. The default password assigned at account creation must be changed within 30 days.
3. Users are required to change their system password every 120 days.
4. Users are expected to memorize their passwords (highly recommended) or to store written password clues in a highly secure location. Users are expected to change their password immediately if they have any reason to suspect that the integrity of their password has been compromised.
5. If you are unable to reset your password online, you will be required to verify your identity with the Information Technology department in order to have it reset.
6. Users may not attempt to gain access to another user's account or files, and may not erase or modify any application, configuration, or data file not specifically belonging to the user.
7. All non-email data associated with computer accounts may be deleted 45 days after students withdraw or graduate. For employees, non-email data may be deleted on the effective date of the resignation or termination unless alternate arrangements are made with the Information Technology department. Employee Office 365 data, network drive, and local drive information can be archived and made available to the employee's immediate supervisor upon request.
8. The username assignment algorithm used to create new system accounts is based on the user's legal name at the time of account creation. After initial creation, usernames will not be changed to match legal name changes, because of the time consuming and error prone nature of moving files, e-mail, and permissions from one username to another. Upon request, we will set up an e-mail alias that is based on the new legal name. The new legal name associated with the existing username will appear in system address books and directories.
9. College-owned equipment issued to a specific employee is to be used solely by the designated employee.

Copyrighted Digital Content

1. Each user acknowledges that the College licenses the use of proprietary software from a variety of companies. Unless specifically authorized by the owner of the software through the licensing agreement, software and/or documentation relating to the use of the software, may not be duplicated.
2. No software may be loaded onto any Catawba College computer without clear licensing authorization. All College software must be purchased in partnership with the Information Technology department. Information Technology will load the software onto the College system or grant permission to do so. Information Technology maintains a master software license library for the College.
3. Employees may install personal software on their College-owned device provided that it does not interfere with business/academic use of the device or pose an information security risk. The employee will be liable for any costs associated with unauthorized software purchases and/or installation.
4. No copyrighted content (music files, movies, etc.) should be illegally downloaded or shared using the Catawba College computer network.

Electronic Mail

1. Using electronic mail to send fraudulent, harassing, obscene, indecent, profane, intimidating, or unlawful messages is prohibited.
2. Transmitting chain letters or commercial solicitations via email is prohibited.
3. An approved list of campus community members has access to send email to large internal distribution lists, such as allcatawba. Email transmissions to these large distribution lists are reserved for communications related to official College business and campus-wide official College events. Email about charitable, social, or political causes or events can also be sent directly to these lists provided the cause or event is sponsored by a group or department officially associated with Catawba College. Anyone emailing the large internal distribution lists inappropriately is subject to having their access to these distribution lists revoked.
4. Catawba's email system cannot be used to send email to large groups of people outside of the Catawba College community (more than 1500 per day). Admissions and the Development office have systems in place to send email to large numbers of prospective students and alumni and friends of the College without violating anti-spam laws. All bulk email communications should be coordinated through one of these offices. All bulk email communications outside of these offices and unrelated to their audiences should be coordinated through the Marketing and Communications Office.
5. Users acknowledge that email can be a source of viruses and spyware and agree to exercise extreme caution when opening email attachments and clicking on email links. When in doubt, forward questionable email to infosec@catawba.edu to obtain IT advice.
6. Users acknowledge that phishing emails are often used to fraudulently obtain information. Users agree to verify the legitimacy of the information request and the identity of the requestor (the ‘from’ email address is not a reliable indicator) before responding. When in doubt, forward questionable email to infosec@catawba.edu to obtain IT advice.
7. Users agree to not send highly confidential or personally-identifiable information through unencrypted email. Contact the IT help desk for assistance in sending encrypted email.

Internet/Network Use

1. College technology resources are reserved first and foremost for teaching and learning and other official College business. Personal use of these resources is allowed to students and employees to the extent that such use does not interfere with the primary mission of the College. These resources may not be used in support of any outside business venture, profit or non-profit.
2. The receipt or transmission of materials on the Internet in violation of any U.S. law, law of the state of North Carolina, or policy of Catawba College is strictly prohibited.
3. Internet resources may not be used to transmit or to receive any materials that may be judged objectionable based upon generally applied standards set by the College.  Specifically prohibited is the receipt or transmission of materials whose subject matter is excessively violent, contains explicit sexual content and/or obscene language.
4. College resources may not be used to attempt to gain access to any computer system, on or off-campus, to which the user does not have proper authorization.
5. The use of port scanners and other computer hacking tools is specifically prohibited.
6. Wireless access points and/or devices that function as a wireless access point (such as wireless printers and mobile hotspots) may not be connected to the Catawba network or operated on the Catawba campus by anyone outside of Information Technology.
7. Information Technology reserves the right to block access to internet sites and/or software applications that are classified as significant information security threats by trusted security vendors.
8. For security reasons, employees and resident students are required to use the secure wireless network (CatUSkyNet2). The guest wireless network (Catawba Guest) should only be utilized by very occasional users of campus wireless. 

Laboratory Regulations and Care of Facilities

1. Smoking or bringing food or drinks into the computing laboratories is prohibited unless otherwise noted.
2. Users may not move or in any way tamper with computer laboratory equipment without prior authorization from Information Technology.
3. Users agree to help maintain a reasonable state of cleanliness and order in all Catawba College computing facilities.
4. Course homework and other academic work has priority over other computer uses such as game-playing, chat rooms, and non-course-related emailing or web browsing.  Users agree to relinquish lab stations, when needed, to those pursuing higher priority activities.
5. Loud music, loud games, talking, or any other activities that disturb other users are prohibited.
6. Users agree to comply with all reasonable requests from College personnel, including requests to relinquish equipment for a higher priority activity, to cease disruptive activity, or to leave the computing laboratory.
7. Users agree to report any equipment problems to the IT help desk.

Monitoring

1. Each individual user must recognize and acknowledge that the Information Technology Department may observe, log, monitor and track all use of computer resources in order to assure that the computer resources are only being used by authorized users for authorized purposes.
2. The College reserves the right to determine, through monitoring, whether any user is utilizing the system for a possible improper activity.  In the event that a possible improper activity is discovered, Information Technology personnel may provide evidence obtained by monitoring to the College and/or law enforcement personnel.  If the activity disclosed is criminal, the College may request that prosecution be undertaken by the appropriate authorities.  In any event, the individual's right to utilize the system may be suspended until a determination has been made as to whether or not the use was improper.  If improper use occurred, the individual may be notified that his/her right to access has been terminated.
3. Monitoring may further be utilized to assure that users are not sharing system logins. Every user assumes full responsibility for use of his/her system login, whether authorized or not, and recognizes that his/her system access may be suspended or terminated for improper use, regardless of who actually perpetrated the improper use.
4. Each authorized user acknowledges that his/her authority to utilize computer resources is limited.  If, during the monitoring process, it is determined that an individual may have exceeded his/her authority, the individual will be subject to further monitoring and recording, and Information Technology personnel will have the right to terminate the use of the computer system by that individual.
5. Information Technology may gain access to user accounts, home directories, and email directories if needed to correct account problems or potential problems such as quota violations or virus-infected files.  Information Technology may check any component of the College computing system at any time for virus-infected files or illegally installed software.

Printing

1. Students are allotted a $45 quota per semester for printing and/or copying. Funds can be added to this quota online via CatLink – My Account tab - Quotas channel.
2. All toner cartridge replacement for campus networked printers is handled by the Information Technology Department. If printer supplies are low, contact the IT helpdesk.
3. Procurement of additional campus printing devices must be done in partnership with the Information Technology department.
4. Use approved brand-name labels in campus printers. If in doubt, consult the Information Technology department.

Virus Protection

1. Users agree to virus-scan any media used on any College computer before it is accessed for any other purpose.  Users also agree to virus-scan any files downloaded from the Internet.
2. Any computer attached to the Catawba College computer network must have a current version of virus-protection software installed and be current with Microsoft Critical Security patches.
3. Employees with an infected computing device must immediately bring it to the Information Technology department for remediation. Network access may be reduced until remediation is complete.
4. Students with an infected computing device must immediately bring it to the Information Technology department or another resource for remediation. Network access may be reduced until remediation is complete and verified by the Information Technology department.

Violation of the Agreement

1. Users who violate this policy may be subject to having privileges suspended or terminated.  The Chief Information Officer may also refer the faculty member, staff member, or student whose conduct violates this policy to another appropriate individual or College body for discipline in accordance with the Employee or Student Handbook.
2. In the event that this procedure is violated by a member of the general public, the Chief Information Officer may suspend or terminate computing privileges.  Additionally, if the action of the individual violating the policy places the College at risk of financial liability, the member of the general public may be subject to a civil action to recover those financial losses.

Revised on June 28, 2016

What You Need to Know About Sharing Music, Movies, and More

There can be serious consequences for those who engage in illegal sharing of copyrighted material. The FAQs below are meant to help you understand what is legal and what is not so that you can make informed choices and act in accordance with the law and Catawba College policy:

• What is Digital Rights Management and the Digital Millennium Copyright Act?
  The Digital Millennium Copyright Act (DMCA) passed by Congress in 1998, makes it illegal to copy or share intellectual property — music, videos, games, software and other materials — without permission. Digital Rights Management (DRM) refers to the technologies used by publishers and copyright owners to control access to and usage of digital data.  The DMCA makes it illegal to produce and distribute technology that circumvents these copy-protection methods.
• Is it really illegal to share music and movies from my computer?
  Yes, in most cases. More specifically, it is illegal unless you own the copyright on the work or have permission from the owner to distribute it. For the vast majority of material (e.g., anything that is for sale in stores or online) it is illegal to download or upload copies. There are a few exceptions:
  • You can legally distribute material that you have the rights to, e.g. material that you create and publish yourself.
  • If the owner (typically the creator) gives you permission to give away the material, e.g. CDs of your friend's band.
  • Streaming via iTunes is legal for music purchased from the iTunes music store.

Unauthorized downloading or uploading of copyrighted material can result in legal action against you, including lawsuits by the copyright holder or their agent (such as the RIAA). It is also a violation of Catawba College's Acceptable Usage Policy for Computing and Network Resources.

• Is it legal to just download material from peer-to-peer services, as long as I don't share it with others?
  Peer-to-peer sharing of copyrighted material without the copyright holder's permission is illegal, whether you are sharing it or downloading it. Downloading copyrighted materials illegally is analogous to taking possession of stolen property. Sharing copyrighted material illegally is analogous to distributing stolen property. In most cases, the software you use to download files automatically makes your machine into a server, so you may be sharing files without even realizing it.
• Isn't sharing music protected as "fair use" under copyright law?    
  The doctrine of fair use is an important one, especially in an academic setting. But the vast majority of online music sharing is done in ways that do not constitute fair use.
• What risks result from illegally obtaining or sharing copyrighted materials?      
  Copyright holders can file lawsuits against you, a tactic that they are currently pursuing aggressively, especially on college campuses. They can notify Catawba College of infringements that are taking place on campus, and require us to intervene to stop them. Catawba College is committed to responding to lawful requests for information and will not protect or defend a campus community member against criminal investigations or lawsuits resulting from copyright infringement.
  Anyone found liable for civil copyright infringement may be ordered to pay either actual damages or statutory damages affixed at not less than $750 and not more than $30,000 per work infringed. For willful infringement, a court may award up to $150,000 per work infringed and assess costs and attorneys' fees. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please visit the United States Copyright Office website, especially their FAQs.
  Copyright infringement and unauthorized access to digital materials is subject to disciplinary action by Catawba College as detailed in the Faculty, Staff, and Student Handbooks.
• Where can I learn more?        
  The Consortium of College and University Media Centers and the Music Library Association both have sites that address copyright issues, including fair use, in college and library settings.
  For some insight into how some copyright holders view these issues, visit the sites of the Recording Industry Association of America or the Motion Picture Association of America.
  There are many ideas on how current law or business practices could be changed to reduce the incentive to steal music and still reward the creators. Here's just one, from the Electronic Frontier Foundation. 

Legal Online Sources for Copyrighted Material

There are many legal sources for copyrighted materials, such as music and movies. These sources utilize a wide range of business models, and some are even free. The most up-to-date and comprehensive lists of legal sources are maintained by industry associations, whose web sites also present additional information and various perspectives on copyright issues.

Catawba's plan to combat illegal sharing of copyrighted materials is in compliance with the final version of the Higher Education Opportunity Act (HEOA) issued on October 29, 2009. The College's plan includes the following four components:

1. Educate the Campus Community about Copyright Law and Campus Policies Related to Violating Copyright Law
   • Catawba College views education as the most important element in combating illegal sharing of copyrighted materials. We use a wide variety of mechanisms to inform our community about copyright law and Catawba's response to copyright infringement claims:
   • In order to use College computing resources, all members of the community agree to comply with Catawba College's Acceptable Usage Policy for Computing and Network Resources which includes a section on copyright compliance.
   • New students are educated about copyright law, illegal file sharing, and the dangers of peer-to-peer file sharing software during the technology training session conducted by the Information Technology department and the college life training conducted by Student Affairs during new student orientation.
   • Each fall, an email is sent to the campus community under the joint signatures of the Dean of Students and the CIO regarding the serious negative consequences associated with illegally obtaining or sharing copyrighted materials.
   • We publish information in the Student, Faculty, and Staff Handbooks about the importance of complying with copyright laws and provide website links to campus policies that deal with copyright compliance and responding to detected or reported copyright infringement.
   • Information about copyright law, the dangers of illegal file sharing and peer-to-peer file sharing software are published on the College website, along with campus policies and procedures related to copyright law compliance.
   • Information Technology and Student Affairs staff are trained on copyright issues, policies, and procedures and regularly communicate with campus community members about these issues on an individual basis as a need or opportunity appears.  
2. Effectively Combat Unauthorized Distribution of Copyrighted Materials on the Campus Network
   • Catawba College employs two methods to combat unauthorized distribution of copyrighted materials on the campus network
   • The College uses proactive technology-based deterrents.
   • Catawba employs a combination of packet-shaping and firewall rules to block transmissions employing networks or protocols typically used for illegal file sharing. Additionally, an intrusion detection system is in place that alerts the College's networking staff about any peer-to-peer traffic traversing the campus network.  
   • The College responds quickly and thoroughly to all detected or reported copyright violations.  
   • In the event that potential copyright infringement activity is detected (via the technology-based deterrents outlined above) or reported (via a Digital Millennium Copyright Act (DMCA) notice or other reliable report), the offender's computer account is placed in quarantine. This prevents the offending campus community member from accessing the campus network, campus software applications, and campus computer labs. The community member is notified that their account will remain in quarantine until the Information Technology department has ensured that any infringed materials and peer-to-peer file sharing software are removed from their computer system(s). Additionally, student offenders are reported to the Dean of Students and subject to student judicial proceedings as outlined in the Student Handbook. Faculty offenders are reported to the Provost and subject to disciplinary measures as outlined in the Faculty Handbook. Staff offenders are reported to the Human Resources Director and subject to disciplinary measures as outlined in the Staff Handbook.
3. Offer the Campus Community Legal Sources for Copyrighted Materials
   • In order to demonstrate to the campus community that there are many legal options available, Catawba College maintains a web page that links campus community members to many resources for finding legal alternatives for online music, movies, and more.
4. Periodically Review the Effectiveness of Our Efforts

To assess the effectiveness of our efforts to combat illegal distribution of copyrighted materials, the College annually reviews its plan using the following assessment criteria:

• • Is the number of reported and detected infringements decreasing, either as an absolute number or as a percentage of the campus population?
  • Is the number of repeat offenders decreasing, either as an absolute number or as a percentage of the campus population?
  • The results of this annual review, as well as any modifications to the campus plan based on this review, will be published here.
    • Academic Years 2012-2019:  There were no reports of copyright infringement.
    • Academic Year 2011-2012:  There were no reports of copyright infringement.
    • Academic Year 2010-2011: In August 2010, Catawba College published its plan to combat illegal file sharing in compliance with the Higher Education Opportunity Act. There were no reports of copyright infringement.
    • Academic Year 2009-2010: Catawba College responded to three reports of copyright infringement. There were no repeat offenders.

Purpose: 

The purpose of this policy is to provide a consistent method of handling any information security incidents that may occur on the Catawba network.

Scope: 

This policy applies to all Catawba College students, faculty, and staff.

Policy: 

An information security incident is defined as any event that affects the confidentiality, integrity, or availability of network resources. Any of the following would constitute an information security incident:

• Any potential violation of federal law, North Carolina law, or Catawba College policy involving a Catawba Information Technology (IT) asset
• A breach, attempted breach, or other unauthorized access to a Catawba IT asset
• Any Internet worm, virus, Denial of Service (DoS) attack, or related incident
• Any change in a computer system that disables or defeats security precautions that have been installed on the machine
• Any conduct using in whole or in part a Catawba IT asset that could be construed as harassing or in violation of Catawba College policies.

The appropriate authorities should be notified immediately of any suspected or real information security incident. If it is unclear as to whether a situation should be considered an information security incident, IT should be contacted to evaluate the situation.

• Incidents that potentially involve violation of federal or state law should be immediately reported to Campus Safety (704-637-4000).
• Incidents that potentially involve malicious or accidental damage to the Banner enterprise database should be reported to the Director of Enterprise
• Incidents that potentially involve harassment should be reported to the Student Affairs
• Any other potential information security incident should be reported to the IT Help

In the event of an incident that potentially involves malicious or accidental damage to the Banner database, IT will do the following:

• If the incident still has the potential of causing damage, we will shut the database down
  • Shutdown generally will be authorized by the Director of Enterprise Systems or the CIO.
  • In the event of an emergency where the Director of Enterprise Systems or the CIO is unavailable, a member of the Systems & Networking team is authorized to shutdown the database.
• If the incident already has occurred and does not have the potential of recurring, we will ascertain the extent of the damage and take appropriate measures
• In any event, the Director of Enterprise Systems or CIO will authorize the DBA to do one or more of the following:
  • Perform a complete database backup and schema export
  • Start up the database in restricted mode so that no user except the DBA can log on
  • Disable the user account in question
  • Extract data changed via a report
  • Extract the audit trail of the change via report
  • Correct the changed data

The DBA will document the following:

• Post-incident actions
• A report of any data that was changed

In the event of an incident, such as a virus, worm, or DoS attack that threatens the health and security of the campus network, IT will do the following:

• The Systems & Network Team will analyze the problem and attempt to confirm that it is the result of an information security incident.
• If a compromised computer is actively causing widespread network problems, the computer’s network access will be revoked without prior notification.
• In extreme and widespread cases of infection, network access may be revoked for a significant portion of the college
• If a College-owned computer has been disconnected from the network, the IT Help Desk will assist in cleaning and protecting the machine.
• If a personal computer has been disconnected from the network, it is the owner’s responsibility to clean the machine and take any other steps necessary to safeguard it from future attacks.
  • The IT Help Desk offers virus removal for a fee.
  • Network access will remain revoked until IT has verified that infected or compromised computers have been restored to health.

If IT detects that a user has disabled or defeated security precautions that have been installed on his or her machine, IT will do the following:

• The IT Help Desk staff will examine the machine to confirm that there is an information security problem
• If there is a problem, the IT Help Desk staff will inform the user of the importance of information security on the machine and advise them of ways to avoid disabling information security features

Enforcement: 

Any network user found to have violated this policy may be subject to disciplinary action, including suspension or termination of network privileges.

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

If infractions also violate local, state, or federal laws, other civil or criminal penalties may apply.

The College reserves the right to monitor previous offenders for further abuse.

Approved by Cabinet on September 4, 2013

Purpose:

The North Carolina Identity Theft Protection Act requires organizations to notify persons whose personal information held by the organization has been compromised by an information security breach.

The purpose of this policy is to define the circumstances and procedures under which required notifications will be made.

Scope: 

This policy applies to all Catawba College students, faculty, and staff.

Definitions: 

Personal Information is defined by the North Carolina Identity Theft Protection Act as a person’s first name or first initial and last name in combination with any of the following items:

• Social Security or employer taxpayer identification number
• Driver’s license, state identification card, or passport numbers
• Checking account numbers
• Savings account numbers
• Credit or debit card numbers
• Personal Identification Number (PIN code)
• Digital signatures
• Any other numbers or information that can be used to access a person’s financial resources
• Biometric data
• Fingerprints

Even if listed above, however, “personal information” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.

Information Security Breach is defined as an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information, along with the confidential process or key, also constitutes an information security breach.

• Good faith acquisition of personal information by an employee or agent of the College for a legitimate purpose is not an information security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the College and is not subject to further unauthorized disclosure.

Policy: 

• Any information security breach should be reported to the Chief Information Officer (CIO) and the IT Security Administrator immediately upon discovery.
• In the case of an information security breach that results in disclosure of personal information, Catawba will notify the affected individuals without unreasonable delay.
• Notification will be delayed if a law enforcement agency determines that notification will impede a criminal investigation.
  • In this case, notification will be provided without unreasonable delay after the law enforcement agency determines that it will not compromise the investigation.
• A copy of the notification will also be provided to the Director of Marketing & Communications prior to the time it is posted or sent to affected individuals.
• The notification will be clear and conspicuous and include all of the following:
  • A description of the incident in general terms
  • A description of the type of personal information that was subject to the unauthorized access and acquisition
  • A description of the actions taken by the College to protect the personal information from further unauthorized access. However, the description of those actions may be general so as not to further increase the risk or severity of the breach.
  • A telephone number that the person may call for further information and assistance
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
  • The toll-free numbers and addresses for the major consumer reporting agencies
  • The toll-free numbers, addresses, and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft
• Notification to those affected will be provided by one of the following methods unless substitute notification is permitted:
  • Written notification, or
  • Electronic notification, for those persons whom the College has a valid e-mail address and who have agreed to receive communications electronically, or
• Telephonic notification provided that the contact is made directly with the affected persons
• Substitute notification may be given if:
  • The cost of providing the notification exceeds $250,000; or
  • The College does not have the necessary contact information to notify an individual in any of the aforementioned manners; or
  • The College is not able to identify particular affected individuals.
• If given, substitute notification will include all of the following:
  • E-mail notification when the College has an electronic e-mail address for subject persons;
  • Conspicuous posting of the notification on the College’s web page; and
  • Notification to major statewide media.
• Whenever notice of an information security breach as defined by this Policy is given to at least one person, the College, without unreasonable delay, will notify the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.
• Whenever notice of an information security breach as defined by this Policy is given to more than 1,000 persons, the College will notify, without unreasonable delay, all three major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

Enforcement: 

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

Approved by Cabinet on September 4, 2013