Policy number: CS-1502-2002
Policy Title: Acceptable Employee Use of IT Resources Policy
Policy Owner: Chief Information Officer
Effective Date: June 2002
Last Revised: May 20, 2021
On this page:
- Application and Scope
- Accountability and Compliance
- Roles and Responsibilities
- Policy Revision Date
- Specific Links
The purpose of this policy is to provide College employees with guidance on acceptable and unacceptable use of the College’s Information Technology (IT) resources. Computing, networking, telephony, and information resources of Mohawk College are available to advance our education, teaching, research, and administration service missions. Any access and use of these resources and services that interfere with these goals are prohibited.
All who access and use these resources will abide by this policy, all applicable policies, legal and contractual requirements, and the highest standard of ethical principles and practices, when using these College resources.
This policy applies to all employees, contractors, consultants, volunteers, researchers, or other workers including College community members that use any component of the College’s computing, networking, telephony and information resources regardless of the physical location or device used. This policy excludes students, except where students are employed by, or on a work placement with, the College.
“Authenticate” refers to the process of logging onto an IT resource by validating a user’s identity. This is typically completed by providing a username and then validating that username by providing something you know such as a password, something you have such as a card, or by providing something you are – such as a biometric piece of information (fingerprint, retina scan, palm, etc.).
“IT Infrastructure” refers to software, hardware, devices, mobile devices, networks, server systems, data storage, data centres, related equipment, and cloud-based technologies.
“IT resources” refers to any IT Infrastructure component that can be interacted with and used by users such as a computer, application, mobile phone, data, removable storage etc.
“Manager” refers to a person who has charge over a workplace or authority over a worker, including, Managers, Directors, Associate Deans, Deans, Registrar, Chiefs, Vice Presidents and President.
“Sensitive Information” includes information that should not be shared and may include restricted, confidential, or personally identifiable information or documents which may be marked as “Internal Use Only.”
“System Administration” refers to the act of system upkeep, configuration, and reliable operations of an information technology system and can only be completed by having administrative access to a system to make changes.
“Untrusted Software” refers to software that does not come directly from the source of a reputable company that sells or distributes that software or software that is obtained from a third-party source or illegally downloaded.
“User(s)” includes any person that uses or operates an IT resource.
“VPN” stands for Virtual Private Network and is a software application that creates a secure encrypted tunnel between a remote computer and the College campus. Using this technology ensures that data communications are kept secure.
This policy is based on five key principles:
Ethics, Values and Fairness
Exercise common decency, good judgement, and respect for the College community members and property.
Preserve the integrity and availability of systems and services and ensuring that actions taken by College community members do not negatively affect College IT resources.
Protect and safeguard College IT infrastructure and information.
Use of IT resources adheres to all legal, regulatory and College policy requirements.
Access to IT resources is uninterrupted and accessible when needed
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
The Chief Information Officer and the Manager of IT Security in cooperation with other departments will enforce compliance with this policy through multiple means including but not limited to monitoring, reporting, observation, and audit.
6.1 Chief Information Officer
The Chief Information Officer is accountable for the security of all IT resources.
6.2 Manager, IT Security
The Manager of IT Security is responsible for the security of all IT resources and communicating IT Security Policies to employees.
Managers are responsible for:
- communicating IT security policies and procedures to employees;
- complying with all IT policies and procedures;
- ensuring that IT resources are procured in compliance with the IT Asset Management Policy and configured and maintained in compliance with all IT Policies.
- working collaboratively with Information Technology and IT Security Services to secure resources.
- ensuring completion of any mandatory IT training.
6.4 Individual Users of IT Resources
All users of IT resources are responsible for protecting the confidentiality, integrity, and availability of our information and systems in accordance with this policy.
7.1 Authorized Use
All users of Mohawk College IT resources must use those resources to carry out the functions for which they were authorized, specifically:
- Access to IT resources shall only be provided to active employees, contractors, consultants, temporary, part-time, or other workers in compliance with Mohawk College’s IT User Account Life Cycle Policy. Visitors may be provided access to limited resources such as Wi-Fi when registered through Eduroam eVA, or when registered with the IT Service Desk.
- Use of IT resources must align with the appropriate Academic, Support, Research, or Administrative intentions for which they are provided.
- Access to and use of IT resources is limited to those which the employee is authorized to use.
- Employees must always authenticate using the College provided account which was assigned specifically to them to access IT resources and should not use any other user account other than their own when accessing IT resources unless an exception has been granted by IT Security.
- Employees must return all IT resources at the end of employment or when their role changes including but not limited to desktops, laptops, tablets, removable media, and mobile devices.
7.2 Personal Use
Occasional personal use of IT resources is permitted in accordance with the following. Users:
- Must not use IT resources in a way that interferes with employment duties.
- Must not create any monetary cost to the College.
- Must keep browsing limited to trusted, reputable websites.
- Must not threaten the security or availability of IT resources.
Although the College permits occasional personal use of its IT resources, the College reserves the right to restrict occasional incidental personal use of IT resources at any time and as the College sees fit and is not responsible for personal data stored on College resources.
7.3 Prohibited Use
All users of Mohawk College IT resources are strictly prohibited from:
- Using IT resources for any political, religious, or commercial activity, or, for conducting any personal business in which they would receive personal or financial gain unless they have received permission from the Conflict of Interest Committee in accordance with the Conflict of Interest Policy.
- Using IT resources in a way that interferes with employment duties, or, creates any monetary cost to the College.
- Exporting software from the College for resale or distribution.
- Exporting any intellectual property of the College or business partners without the appropriate consent or contractual agreements.
- Accessing or creating discriminatory, defamatory, bullying, harassing, offensive, pornographic, or obscene content.
- Performing Information Technology System Administration from a personally owned device.
- Deliberately circumventing or attempting to circumvent data protection and system access controls.
Users of IT resources must not knowingly place the security of information or systems at risk. At all times, Users must:
- Set a strong password that at minimum complies with Appendix B of this policy.
- Comply with the Information Security and Data Classification Policy at all times regarding collecting, classifying, labelling, securing, storing, using, copying, transferring, and disposing of information.
- Keep your passwords and pin codes secure and never share them with any individual.
- Contact the IT Service Desk immediately in the event of an IT security incident, see Appendix A for procedure.
- Take precaution prior to opening any attachment or clicking on links within electronic messages.
- Store all work on central College servers or authorized cloud services to ensure that sensitive, confidential and personal information is protected and that work is backed up regularly.
- Never use personal e-mail accounts to conduct College business.
- Only upload sensitive information to cloud services which are approved by IT and have been subject to a risk assessment in compliance with Mohawk College’s IT Asset Management Policy and are present on Information Technologies Application Inventory. Contact the IT Service Desk to confirm the application is approved before use.
- Comply with the College’s Local Administrators Policy and never install untrusted software or applications on IT infrastructure or resources.
- Always use the College provided VPN when performing work remotely.
- Ensure that personally owned devices that may come in contact with IT resources are protected with antivirus software, a personal firewall, and regularly install security updates and patches to operating systems, applications, and web browsers.
No individual shall knowingly breach, compromise, endanger or threaten the College’s IT resources, attempt to do so, or allow others to do so. This includes probing, scanning, assessing, penetrating or affecting the availability of College IT resources. Users must report any misuse of IT resources to the IT Service Desk, or to the Chief Information Officer. Failure to report misuse may result in the assumption that the User who witnessed the misuse was party to the act.
Mohawk College reserves the right and responsibility to protect the College and community members from security threats and inappropriate use of IT infrastructure and resources by taking actions, including but not limited to:
- Quarantining your device and resetting your account password immediately and without your awareness or consent.
- Monitoring computers, mobile devices, systems, networks, services, accounts, web activity, and user activity.
- Denying a user the right to access IT resources at any time the College deems necessary.
Use of the College’s IT resources is subject to, and must comply with, all applicable laws and College policies and procedures, including this policy. Non-compliance with applicable laws and regulations may result in civil liability or criminal prosecution. The College reserves the right to restrict or deny access to its IT resources, to monitor your use of those resources and to take actions it deems necessary or appropriate to protect College IT resources. By using the College’s IT resources, Users are confirming agreement with this policy.
In addition to the above, Users of IT resources must also comply with:
- Applicable collective agreements, terms and conditions of employment and code of conduct;
- Copyright Laws including, but not limited to, the sharing of pirated software, audio, and video.
- Licensing agreements; and
- Any other agreements between the College and an external service provider.
Noncompliance with this policy may result in any one or combination of the following sanctions:
- Verbal warnings;
- Written warnings;
- Restricted access to, or complete withdrawal of access to IT resources;
- Suspension from work;
- Recovery of costs due to damages or fees; and/or
- Criminal or civil action.
8.1 Revision Date
The Chief Information Officer will review this policy every five years or earlier where required.
- Appendix A - Reporting an IT Security Incident
- Appendix B - Secure Password Requirements
- S-1306-1979 Conflict of Interest Policy
- CS-1317-2012 Respectful Workplace (Harassment and Discrimination) Policy
- CS-1500-2013 Web Posting and Electronic Notifications Policy
- CS-1501-2007 Electronic Communications Policy
- CS-1503-2007 Wireless and Cellular Technology Policy
- GC-4100-2013 Intellectual Property Policy
- GC-4101-2013 Copyright Policy
- GC-4200-2013 Social Media Policy
IT User Account Life Cycle Policy
Information Technology Infrastructure Security Policy
Requirements for Encryption Policy
- Academic Collective Agreement
- Support Staff Collective Agreement
- Terms and Conditions of Employment for Administrative Staff
- Mohawk College Strategic Plan
- Employee Code of Conduct
- Privacy and Legal Statements
- Copyright Act
- Employee Departure Checklist
What is an IT Security Incident?
An IT is an incident that may affect the confidentiality, integrity or availability of the College’s IT infrastructure through unauthorized access, accidental disclosure, or other, including:
- The presence of any form of malicious software (malware, viruses, worms, etc.).
- The presence of any abnormal software that was not previously present on a computer or server.
- Suspicion that your user account has been compromised.
- Intentional or accidental exposure of sensitive information.
- Web browsers re-directing automatically or producing popup messages or advertisements unexpectedly.
- File types, formats, or naming conventions changing unexpectedly or files not opening as expected.
- Slow computer performance, applications hanging, or any unexpected behaviour.
- Notifications that anti-virus or firewalls are not running or are disabled.
- Clicking a link, opening an attachment, or providing credentials in response to a suspicious e-mail.
- Lost or stolen devices including but not limited to laptops, mobile phones, desktop computers, portable storage devices, switches, etc.
Reporting an IT Security Incident
- Disconnect the network cable from the computer and/or disable Wi-Fi.
- Do not power off the computer.
- Contact the Mohawk College IT Service Desk immediately by phone if you believe you are experiencing an IT Security incident regardless of your location.
- Phone: 905 575 1212 x2199
- Inform your immediate manager of the current status.
- Make notes about the IT incident to make sure that you can provide clear and accurate information to IT staff.
- When making notes, consider the following:
- What happened?
- What websites have I visited recently?
- Have I received any suspicious e-mails that were actioned recently?
- When did it happen? (specifically at what time)
- Where did it happen (Physical Location and Network Location (ex: Wireless)?
- Who was involved?
- Could there be sensitive, personal or confidential information at risk?
- What happened?
- When making notes, consider the following:
All users must set passwords of high quality to protect their accounts from compromise following the requirements below.
- Be a minimum of eight characters in length;
- Not be the same as the last six passwords used;
- Use three of the following four character classes:
- Lower Case Letters;
- Upper Case Letters;
- Be free of multiple consecutive characters or numbers;
- Not be based on something that could be easily guessed or a dictionary word;
- Not be the same as passwords used for personal accounts.
In addition to the rules above, passwords must be reset if they are ever shared or exposed. Information Technology will immediately reset any password should it be suspected to be compromised.