Acceptable Use of Information Technology

Updated 4/2/2018

Printable PDF of this policy

Purpose

The purpose of this policy is to define acceptable use of Massachusetts Maritime Academy’s (MMA) applications, hardware, information and other information technology-based resources and systems.

Scope

This policy applies to any person utilizing MMA’s information technology-based resources, including faculty, staff, students and contractors.     

Policy

Information technology resources are intended to support the mission of the Academy.  As such, users are encouraged to utilize MMA’s information technology resources to the fullest extent.  The Academy expects that these information technology resources are utilized in a responsible manner and reserves the right to limit or remove access at any time.

MMA’s electronic communications systems, including internet access, telephony, email, and messaging services, are to be used primarily for Academy-related purposes.  Users shall have no expectation of privacy over any communication, transmission, or work performed using or stored on MMA’s information technology resources.  The Academy reserves the right to monitor any and all aspects of its information technology resources and to do so at any time, without notice, and without the user's permission.

Inappropriate use of the MMA information technology-based resources include the following list, which is a representative sample and may not be complete:

  • activities that violate local, state, or federal laws;
  • excessive, unreasonable or unauthorized personal use;
  • performing large data downloads of movies, music, or similar, whether academically appropriate or not, during peak or busy times;
  • storing, sending or forwarding e-mails that contain libelous, defamatory, racist, obscene, inappropriate, or harassing remarks;
  • visiting or sending information to or receiving or downloading information from Internet sites involving inappropriate topics such as pornography, terrorism, violence, racism, or gambling;
  • running servers or wireless access points without prior permission from an MMA IT staff member or designee;
  • accessing online games or gambling sites other than for academic purposes;
  • soliciting the purchase, sale, rental, or lease of private personal property, goods, services, or real estate;
  • infringing on intellectual property rights;
  • for any political purpose not permitted under a collective bargaining agreement.

Use of Information Technology Resources

Access
Users of MMA’s information technology resources are authorized to access only systems, including hardware and software, where access has been approved, per the Computer Access Control and Management Policy.

Remote Access
Remote access to MMA’s information technology resources can be less secure than local access.  As such, remote access is authorized for only those users with an approved business use.  Users who have been approved for remote access are responsible for adhering to the requirements as defined in the Remote Access Policy.

Cloud Computing and Storage
Advances in cloud computing offer convenient solutions to technology-based problems such as data storage and connectivity.  Data placed on any cloud computing storage solution must adhere to the same policies as data stored on MMA’s internal computing resources. 

Computer Virus and Malware Protection
It is important that users take particular care to avoid compromising the security of the MMA network. Users shall exercise reasonable precautions in order to prevent the introduction of a computer virus or other malware into the MMA network.  Virus scanning software is installed on all MMA systems and is used to check any software downloaded from the internet or obtained from any other source.  Users are prohibited from disabling, or attempting to disable, virus scanning software.  Users must scan portable media devices for viruses and malware before using them to see if they have been infected.  If users are unsure of how to utilize virus and malware scanning tools, they should contact the MMA Helpdesk for additional information.

Information Security Awareness Training
MMA faculty and staff members will be required to attend security awareness training upon hire and at least annually thereafter.  For additional information on MMA’s Security Awareness program, refer to the Security Awareness Training Policy.

Messaging Technologies
Use of email should never be used to transmit confidential or restricted information in an unencrypted format.  Users must pay additional attention to email content and senders and they must not open email attachments from unrecognized or suspicious senders. If there are questions about the security of an email, email attachment, or email messaging technology users should contact the MMA Helpdesk.  For additional information on the use of e-mail and messaging technologies at MMA, consult the Email Communication Policy.

Password Use
Many of MMA’s information technology resources require the use of a unique user account and password.  Unfortunately, due to the rising use and effectiveness of password guessing tools and social engineering campaigns targeting users, it is important for all MMA faculty and staff to create strong passwords and protect these passwords. To this end, faculty and staff must never share their passwords with anyone else, must maintain privacy of their password and must promptly notify the MMA Help Desk if they suspect their passwords have been compromised.  For additional information on password creation, use and protection, refer to the MMA Computing Password Policy.

Physical and Environmental Security
Assistance from users is required to ensure a physically and environmentally secure working environment. Users are required to be aware of locking and access restriction mechanisms and must proactively challenge unidentified or unescorted personnel within restricted areas of the campus. Additionally, to aid in the physical security of workstations and information technology resources, users who will be leaving their devices unattended must log off or lock the system before leaving.  Some campus computers will automatically lock after a specified amount of time of inactivity for additional security.  For additional information, refer to the MMA Physical Security Policy.

Enforcement

Any person found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, termination of employment or expulsion from the Academy.

Roles and Responsibilities

Under the direction of the Vice President of Technology and Library Services, the TLS Directors are responsible for coordinating and establishing procedures and practices which are necessary for compliance with this policy.

This policy is owned by the Vice President of Technology and Library Services, who will coordinate any and all revisions.

References

Framework
SANS Top 20 Controls
Regulationsa and Requirements
PCI DSS - MA 201 - HIPPA
Supporting Standards and Procedures
CSC 1, 2, 9, 12, 16    

 

Revision History

Version Number Issued Date Changes Made By Description of Changes
1.0 1/27/2016   Initial Policy
2.0 2/5/2016 Anne Marie Fallon Additions made to policy
2.1 3/8/2018 Anne Marie Fallon Changes made to policy
2.1 3/21/2018 Anne Marie Fallon Changes made to policy. Emailed for review.
2.1 4/3/2018   Policy Published.