Policies

Information Technology Policy

Approved By Date
Board of Trustees 10-19-2023
Executive Leadership Team 08-28-2023
ICORE 08-22-2023

Stanly Community College provides guidelines that govern the use of all technology resources to preserve the utilization of systems, to protect the privacy of data (including but not limited to financial information, student records, and electronic documents), and to preserve access to the Internet. All users shall adhere to the College’s information technology policies and procedures.


Information Technology Procedures

Approved By Date
Executive Leadership Team 08-28-2023
ICORE 08-22-2023
  1. GENERAL USAGE
    1. The College owns and operates technology systems, including technology hardware, software, electronic mail and other forms of electronic communications, Internet access, and use of computing devices. At times, the College contracts with a third-party to provide services and the College retains ownership of information technology services. The College reserves the right to monitor activities of any user and to access information on the College’s technology systems stored, sent, created, or received by faculty, staff, students, or other users. Any individual using the College’s technology resources should not expect individual privacy in their use of the technology system or service.
    2. Employees, students, vendors, and others with authorized accounts may use the College’s technology resources, including transmissions over the campus network, for educational purposes and official campus business so long as such use does not: 
      1. Violate any law or college policy.
      2. Involve significant use of college resources or otherwise interferes with the performance of college duties.
    3. Public use of computer equipment is limited to those located in the Learning Resources Center. Other use of computer equipment, except by students, faculty, or staff during class or for official college business, is prohibited.  
  2. COMPUTER USAGE 
    1. All computing devices, including portable computing devices such as laptops or tablets, shall:
      1. Use encryption or other measures to protect confidential information, including personal information, from unauthorized disclosure.
      2. If College property, be inventoried and monitored through the College’s asset management system.
      3. Be used in compliance with all applicable security requirements for the College’s computers. 
    2. The College’s mobile technology equipment, such as laptops and tablets, may be used at home by College employees provided:
      1. Use of the equipment at home will not interfere with the College’s operational needs.
      2. The employee returns items to campus upon request for system maintenance, upgrades, inventory, and verification.
      3. Prior to non-disciplinary separation from employment, the employee arranges to return the items, and following disciplinary separation from employment, agrees to cooperate in the College’s efforts to recover the items. 
    3. Unauthorized software applications are prohibited from being used on college computers without written authorization from the Information Technology Services (ITS) department.  Unauthorized software may be removed without notification. Unauthorized software includes any software that the college does not own. All software on college computing systems must be authorized by ITS. 
    4. User data saved on SCC desktops or laptops is not backed up and not guaranteed to be accessible. 
    5. The College’s Information Technology Services Department (ITS) maintains all College’s technology equipment. ITS does not support the use and setup of technology resources that are not owned and maintained by the College. 
    6. The College recognizes that employees may occasionally receive personal email on College computers and use College equipment to complete an online course and for other personal reasons. Personal use of College computers and equipment is acceptable provided that employees adhere to the following:
      1. Personal use may not interfere with the College’s operational needs.
      2. Equipment may not be checked out solely for the purpose of personal use.
      3. Users understand that data stored on College equipment or sent using College email or other communication methods is not private.
      4. Users will adhere to all state and federal laws and the College’s policies and procedures.
      5. Equipment or information resources will not be used for illegal, malicious, or obscene purposes.
      6. The College's data and information are not shared with unauthorized individuals.
      7. All software copyright and licensing laws are followed.
      8. Users will not use College passwords for non-college sites (e.g., social networking sites).
      9. Users will not share sensitive College information, confidential personnel information, or student details on social networking sites.
      10. Equipment is not used for any political purposes, including nonprofit activities of a political nature. 
  3. INTERNET & NETWORK USAGE
    1. The College strives to provide information technology access in an environment in which access is shared equitably among users. The College's information technology resources are intended for the use of its students, employees and other authorized individuals for purposes related to instruction, learning, research, and campus operations. College owned or operated technology resources are for the use of College employees, students and other authorized individuals.   
    2. Users are expected to exercise responsible, ethical behavior when using all College computer resources. This document makes no attempt to articulate all required or prohibited behavior by users of the College’s computer resources. Users of the College network are required to accept these terms and the Acceptable Use Agreement prior to accessing any College network. Credit card and e-Commerce transactions on campus computers and networks are conducted at the user’s own risk. 
    3. The College reserves all rights in the use and operation of its computer resources, including the right to monitor and inspect computerized files or to terminate service at any time and for any reason without notice.  
    4. The College makes no guarantees, warranties, or representations, either explicit or implied, that user files and/or accounts are private and secure. Neither the College nor any of its employees, officers, trustees, agents, or representatives, shall be held liable for (a) the accuracy, content, or quality of information obtained through or stored on the College Network; (b) any improper or incorrect use of its computer resources or services for any purpose, including through the introduction (whether by intentional, reckless, negligent, or other behavior) by another party of any computer virus, malware or other malicious product; or (c) for the actions of anyone using the Internet through the College’s network or College’s computers; and assumes no responsibility for anyone's use of its computer resources or services. The College does not accept liability for any personal equipment that is brought to the College and, therefore, will not assist with configuration, installation, troubleshooting, or support of any personal equipment. In no event shall the College nor any of its employees, officers, trustees, agents, or representatives be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, loss of service; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of its computer resources or services, including without limitation the use of any personal equipment to access its computer resources or services, even if advised of the possibility of such damage. This disclaimer of liability applies to any damages or injury, including but not limited to those caused by any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction or unauthorized access to, alteration of, or use of record, whether for breach of contract, tortious behavior, negligence or under any other cause of action.
    5. No right of privacy exists regarding electronic mail or Internet sessions on the College Network or College-owned hardware.
    6. The College reserves the right to limit the allocation of computer resources. Failure to limit the allocation of computer resources at any time does not constitute a waiver of the right to limit the allocation of computer resources at a future time.
    7. The College makes commercially reasonable efforts to maintain computer resources in good working condition.
    8. The College provides free wireless Internet access. Users of wireless access must abide by the Acceptable Use Agreement and this Policy. Connection to the wireless network at any given time is not guaranteed.
    9. Any College employee who wants to use personally owned devices on campus can do so through the guest wireless public access network. Personally owned devices and equipment may not be used to access the campus LAN and internal resources. When using personally owned equipment on the College’s network, employees are expected to adhere to all policies and rules regarding such use.
    10. The College has the right to monitor the network and internet activities of personal devices attached to the College's network(s). Any individual using their personal devices to connect to the College’s technology systems should not expect individual privacy related to their electronic activities.
  4. EMAIL USAGE
    1. The College provides free electronic mail accounts to certain College employees based on job responsibilities, as determined by the employee’s appropriate Vice President or supervisor, and to all students who are enrolled in any course. 
    2. The use of College-provided electronic mail accounts must be related to College business, including academic pursuits. Incidental and occasional personal use of these accounts is acceptable when such use does not generate a direct cost to the College or otherwise violate the provisions within this Policy. 
    3. The College will make commercially reasonable efforts to maintain the integrity and effective operation of its electronic mail systems, but users are advised that those systems should in no way be regarded as a secure medium for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, the College cannot assure the privacy of an individual’s use of the College’s electronic mail resources or the confidentiality of messages that may be created, transmitted, received, or stored. 
    4. The College does not surveil electronic mail routinely but may do so as the College deems necessary. Students and employees should not have any expectation of privacy regarding their electronic mail addresses provided by the College. 
    5. The College reserves the right to conduct simulated phishing attack campaigns on its users. The purpose is to help users successfully identify attempts to gain access or gain account credentials through phishing emails. Remedial training is required of employees that share their credentials, click on malicious links, and/or open malicious attachments. These conditions are considered a failure of the phishing campaign. If a user has repeated failures within a one-year period, access to email and college technology resources may be revoked. In the case of an employee, this could result in consequences under the Progressive Discipline Policy. 
    6. Any user of the College’s computer resources who makes use of an encryption device shall provide access when requested to do so by the appropriate College authority. 
    7. The College reserves the right to access and disclose the contents of employees’, students’, and other users’ electronic mail without the consent of the user. The College will do so when it believes it has a legitimate business need including, but not limited to, the following:nvestigate indications of misconduct or misuse.
      1. To investigate issues of cybersecurity.
      2. To test and audit the functionality of processes and systems.
      3. To protect health and safety of students, employees or the community at large.
      4. To prevent interference with the College’s academic mission.
      5. To locate substantive information required for College business that is not more readily available.
      6. To respond to legal actions, requests to produce documents, or subpoenas.
      7. To fulfill the College’s obligations to third parties.
    8. Electronic mail, including that of students, may constitute "educational records" as defined in the Family Educational Rights and Privacy Act (“FERPA”). Electronic mail that meets the definition of educational records is subject to the provisions of FERPA. The College may access, inspect, and disclose such records under conditions set forth in FERPA.
    9. North Carolina law provides that communications of College personnel that are sent by electronic mail may constitute “correspondence” and, therefore, may be considered public records subject to public inspection under the North Carolina Public Records Act.
    10. Electronic files, including electronic mail, that are considered public records are to be retained, archived and/or disposed of in accordance with current guidelines established by the North Carolina Department of Cultural Resources or otherwise required by College policy and procedures.
    11. Users may not store, display, or disseminate unlawful communications of any kind, including but not limited to threats of violence, obscenity, pornography, or other illegal communications. This provision applies to any electronic communication distributed or sent within the College's network. Employees or students who receive any emails with this content from any SCC email account should report the matter to the Chief Technology Officer immediately.
    12. Employees, students, vendors, and others with authorized accounts may use the SCC email systems for educational purposes and official campus business. Sending chain letters, non-institutional solicitations, or joke emails from a SCC email account is prohibited. Virus or other malware warnings and mass mailings from SCC shall be approved by the Chief Technology Officer before sending. These restrictions also apply to the forwarding of email received by a SCC employee or student.
    13. Transferring copyrighted materials to or from any system or via the network without express consent of the owner may be a violation of federal or state law.
    14. Electronic mail, information passing over the college network, and information stored in user accounts are the property of the institution.  
    15. Employees, students, vendors, and others shall have no expectation of privacy in anything they store, send, or receive on the SCC email system. SCC may monitor messages without prior notice.
  5. INFORMATION SECURITY
    1. The College will provide individual user accounts to employee, students, vendors, and others. User accounts must utilize unique passwords and an approved form of multi-factor authentication (MFA). It is every user’s responsibility to protect his or her account from unauthorized use by changing his or her password periodically and by using passwords that are not easily guessed.  Account, password, and MFA sharing are prohibited.
    2. Any action to circumvent network security or gain access to the system through any unauthorized means is forbidden and may lead to suspension of a person’s rights to use the college network. Any employee whose rights to use the network have been restricted may be terminated.  Employees or students who try to gain entry to the network illegally may have their network rights suspended.  In the case of an employee, this could result in consequences under the Progressive Discipline Policy.
    3. Security violations should be reported to any member of the Information Technology Services Department (ITS).  The Chief Technology Officer or a member of ITS will contact the affected users regarding concerns and corrective measures. Additionally, an incident report will be completed and sent to the appropriate Vice President.
    4. Unless otherwise confidential by law, records generated using the College’s technology systems are considered public records and must be maintained as public records pursuant to the College’s policies and procedures. Student education records and certain personnel information are protected by law and are confidential.
  6. ELECTRONIC RECORDS RETENTION
    1. The College will retain and destroy electronic records, including email and instant messages, in accordance with this document, the State Guidelines for Managing Trustworthy Digital Public Records, and the approved Record Retention and Disposition Schedule (“the Schedule”) for community colleges adopted by the North Carolina Department of Cultural Resources and the State Board of Community Colleges.
    2. Electronic records made or received in connection with the transaction of public business are public records pursuant to the North Carolina Public Records Act, as defined by the North Carolina Public Records Act, N.C.G.S. § 132-1 et seq. Examples of electronic records that are public records include, but are not limited to: messages that include information about policies or directives, official business correspondence, official reports, or material that has historic or legal value.
    3. Public records, including electronic records, may not be deleted, or otherwise disposed of except in accordance with the Schedule. The content of the electronic record determines its retention requirement.
    4. The content of the electronic record, not the method or device in which it was sent, dictates whether the record is a public record. For example, if an employee has work email on his private, personal email account, that email remains a public record. For this purpose, employees are strongly encouraged to use only their work email address for work emails. If an employee, however, does have work emails on their personal email accounts, they are responsible to properly maintain the email and, if necessary for retention purposes, transfer the email to another medium for proper retention.
    5. Because electronic messages can be sent and forwarded to multiple people, copies of the messages may exist in the accounts of multiple users. In most cases, the author, or originator, of the electronic message is the legal custodian and is responsible for maintaining the “record” copy. However, cases in which the recipient has altered the message (made changes, added attachments, etc.), or when the message is coming from outside the college, the recipient is the one responsible for retaining the message.
    6. When the custodian of an electronic record leaves the employment of the College, it is the responsibility of the supervisor to ensure all public records remaining on the computer and in the messaging account are retained or disposed of appropriately. The College additionally stores all email and instant messages as a fail-safe archive in the event of system failure or unlawful tampering. All messages which are sent or received using the College’s email and instant messaging system are copied and retained by this system for (5) five years. This storage mechanism is intended as a safety measure and does not replace the individual employee’s legal responsibility for retaining and archiving electronic messages in accordance with the state of North Carolina’s record retention laws.
    7. For retention purposes, email messages generally fall into the following two categories: 
      1. Email of limited or transitory value. For example, a message seeking dates for a meeting has little or no value after the meeting. Retaining such messages serves no purpose and takes up space. Messages of limited or transitory value may be deleted when they no longer serve an administrative purpose.
      2. Email containing information having lasting value. Email is sometimes used to transmit records having lasting value. For example, email about interpretations of an agency’s policies or regulations may be the only record of that subject matter. Such records should be transferred to another medium and appropriately filed, thus permitting email records to be purged.
    8. While the methods for reviewing, storing, or deleting electronic records may vary, compliance with the retention requirements may be accomplished by one of the following:
      1. Retention of Hard Copy. Print the record and store the hard copy in the relevant subject matter file as would be done with any other hard-copy communication. 
      2. Electronic Storage of records and email. Electronically store the record or email in a file, on a disk or a server so that it may be maintained and stored according to its content definition under this Policy. 
    9. A litigation hold is a directive not to destroy electronic records, including email, which might be relevant to pending or anticipated litigation. In the case of a litigation hold, the Chief Technology Officer may suspend the normal retention procedure for all related records. 
    10. The College recognizes that legal proceedings may result in pretrial discovery requests of the information technology system used to produce records. The College will honor requests for outside inspection of the system and testing of data by the courts and government representatives. The College may have contractual obligations to notify other parties prior to fulfilling requests for information that involve said other parties’ rights. Records must continue to exist when litigation, government investigation, or audit is pending or imminent, or if a court order may prohibit specified records from being destroyed or otherwise rendered unavailable.
    11. Records may only be disposed of in accordance with the Schedule. Prior to the disposition of any record or record group after the applicable retention period, the records custodian will create and maintain a destruction log.
  7. VIOLATIONS
    1. Violations of policy will be treated as academic misconduct, other violation of the student code of conduct, employee misconduct, and/or potential criminal conduct, as applicable.
    2. For noncriminal matters, a single violation could result in suspension of the user’s access rights. A second violation will result in permanent suspension of access privileges.
    3. Suspected criminal activity will be referred for law enforcement investigation and may result in immediate and permanent loss of privileges.
    4. Student disciplinary proceedings will be initiated against student violators.
    5. Stanly Community College faculty and staff, where appropriate, may also face sanctions cited above.  In addition, violations of the policy may result in consequences under the Progressive Discipline Policy.