OZARKA COLLEGE

INTRODUCTION

The security and integrity of Ozarka College's Information Systems & Technology resources (IST) is vital. There are a number of ways IST can be compromised and all who use the resources have a part to play in guarding the IST resources at Ozarka.

Attacks that are aimed to compromise the security and integrity of IST resources can be focused on standalone computers. However those attacks are able to quickly infect other IST resources on the networks to which they are connected.  

As a consequence, it is imperative that protections be implemented and that they are adhered to rigorously. This will reduce the likelihood of a security and integrity outbreaks and minimize the risks associated with any outbreak. Ozarka College has a responsibility to protect its resources. Accordingly, all possible points of entry (internet, e-mail, removal media, personal computers, gateways, servers, employee computers) need to be protected and appropriate actions must be implemented to counter the risks. The success of this program depends on the products available and the regular use of these products by students and employees.

WHAT ATTACKS SECURITY AND INTEGRITY OF SYSTEMS

There are three common ways our computers are attacked. They are:

• Viruses A virus is a software program or piece of code that infects a computer and reproduces itself to spread throughout the computer or to other computers. Viruses are spread through executable code, which means it must be activated to affect a system and spread. Viruses can sit dormant in computer system until they are activated, either remotely or with a countdown in the code itself.
• Malware: Malware is short for malicious software. There are different types of malware. A trojan is a type of malware that is surreptitiously downloaded with other software; trojans do not replicate as viruses do, but trojans are generally more malicious because they steal information and “phone home” that information to its master. The name “trojan” comes from the Greek mythology story about the Trojan Horse. Other malware might include spyware or adware, which track the computer’s user’s computing habits, history, or online shopping browsing and buying. Spyware is intended to keep a record of the activity, while adware is intended to blast the user with targeted ads based on web browsing and online habits. Both do so usually without the user’s knowledge.
• Phishing: Phishing is the name given for one of the worst computer crimes: identity theft. Phishing attempts usually come in the form of emails, instant messages, or hacked websites. They direct the user to what appears to be a legitimate website or application. The user, assuming the website/application is legitimate, enters his username and password, which is promptly stolen.

Although it is increasingly difficult as crooks become more sophisticated, you can prevent viruses and phishing attacks. Some of the tips given below may require you to radically change your computer use and Internet browsing. But if you have ever experienced a virus or trojan, and tried to fix your computer after getting one, you probably realize very quickly that the ounce of prevention really was worth the pound of cure.

(Information taken from: theoldergeek.com/troubleshooting/security-issues/how-to-avoid-computer-viruses-and-phishing-hacks/)

WHAT CAN BE DONE TO MAXIMIZE SECURITY AND INTEGRITY OF SYSTEMS

Ozarka College will maintain a site license and/or make available virus and malware detection and prevention software for personal computers and servers maintained by the College. College clients who have access to networked personal computers will have direct access to the currently supported virus and malware detection and prevention software. Employees will ensure that the virus and malware software installed on their personal computers is in accordance with this policy, and is not tampered with or removed.

The Information Systems department will monitor virus developments and ensure that clients have access to appropriate tools or information to enable them to protect their personal computers against possible infection by a computer virus or malware.

The Information Systems department will thoroughly investigate any report of a virus and malware infection or possible virus and malware infection. If the report is of a serious nature or the effect is widespread, the Chief Information Officer will be informed so that whatever measures are necessary to deal with the matter can be implemented.

Employees or students will not be asked to supply their username or password to anyone. If maintenance is required on your computer, other procedures will be enacted to carry that out. The Information Systems Department will NOT as you for your username or password – over the phone, in an email, or other forms of communication. Therefore, do NOT supply your username or password no matter how legitimate the request seems.  

Digital Millenium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is legislation enacted by the United States Congress in October 1998 that made major changes to the US Copyright Act. These changes were necessary in part to bring US Copyright law into compliance with the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances Phonograms Treaty. The DMCA also strengthened the legal protection of intellectual property rights in the wake of emerging new information communication technologies.

Digital Millenium Copyright Act (DMCA) and File Sharing at Ozarka College
Downloading and sharing copyrighted material online without permission is unethical and illegal. Ozarka College is dedicated to addressing and resolving issues of copyright infringement, as well as implementing preventative measures and policies to ensure proper use of peer-to-peer (P2P) applications on the campus network.

In addition to sending complaints to Ozarka, copyright owners may also take direct legal action against alleged infringers, and subpoena the college for information about people sharing files. The No Electronic Theft (NET) Act provides for serious criminal penalties, including a fine of up to $250,000 and a potential jail sentence. Lack of knowledge about copyright infringement laws will not excuse one from legal consequences, or from action by the college. It is your responsibility to be aware of the legality of your actions.

How do I know what is legal and what is not when it comes to copying music?
Here is the bottom line: If you distribute copyrighted music without authorization from the copyright owner, you are breaking the law. Distribution can mean anything from "sharing" music files on the Internet to burning multiple copies of copyrighted music onto blank CD-Rs.

Is it illegal to upload music onto the Internet even if I don’t charge for it?
Yes, if the music is protected by copyright and you do not have the copyright holder’s permission. U.S. copyright law prohibits the unauthorized distribution of copyrighted creative work whether or not you charge money for it.

If all I do is download music files, am I still breaking the law?
Yes, if the person or network you are downloading from does not have the copyright holder’s permission. Peer-to-peer systems like KaZaa, Grokster, Gnutella, LimeWire, Morpheus, WinMX, Aimster, and Bearshare have music that is not legal for you to download.

What if I upload or download music to or from a server that is based outside of the U.S.?
If you are in the United States, U.S. law applies to you regardless of where the server may be located.

What if I download or upload poor-quality recordings?
The law prohibits unauthorized copying and/or distribution of digital recordings that are recognizable copies of copyrighted work. The quality of the recordings does not matter.

If I bought the CD, is it okay to make copies of it?
It is illegal to copy a CD for use by someone other than the original purchaser. This means it is illegal to loan a friend a CD for them to copy, and it is illegal for you to make mixed CDs and distribute them to your friends as well.

How do I know if something is copyrighted?
When you buy music legally, there is usually a copyright mark somewhere on the product. Stolen music generally doesn’t bear a copyright mark or warning. Either way, the copyright law still applies. A copyrighted creative work does not have to be marked as such to be protected by law.

Where can I legally download music?
Vist the Center for Copyright Information

Password Choice Requirements

• At a minimum, passwords shall be changed every 90 days.
• Passwords shall be at least eight characters in length and be a mixture of alpha and non-alpha characters
• User passwords shall not be reused within six password changes.

Suggested strategies for selecting a valid password:
Choose a word, then scramble it with some random numbers (e.g., buffalo becomes Bu3fa2o).
Convert an easy-to-remember phrase into an acronym. "It is a very fine day" could be abbreviated to "iiavfd", and then by adding two nonalphabetic characters, would become a valid password of iia44fd.


Users must never write down or otherwise record their passwords. Each user is responsible for any action taken with that user's login. No college employees or students should ever share or divulge their password to anyone, including other college students and staff, nor should OC employees and administrators ever request a user to divulge his or her password. Users should change their passwords often--at least once every 90 days for staff/faculty and 180 days for students. Any password that a user believes may have been compromised must be changed immediately.

Users must not attempt to determine another user's password through any means. This prohibition applies to passwords for students, faculty, staff, and friends and accounts on systems reached through the Internet.

Account lockouts: An account will be set to lock out a user for a minimum of five minutes after a maximum of 3 failed login attempts.

Password uniqueness: A history of at least 5 passwords should be kept when technically feasible for each account within a system. New passwords should be checked against this history and users prohibited from re-using any matching entries.

Changing Passwords

myOzarka

Click on My Tools
Click on Change Password

Sonisweb

Click on Systems
Click on Change Password

Note: Resetting a password in the Information Systems department requires that the user present a photo ID.

Ozarka College collects and maintains electronic information and files from users on a voluntary basis.

 These files are collected and maintained to facilitate the processing of student, employee and alumni records.

All record keeping is done in strict compliance with the Family Educational Rights and Privacy Act (FERPA) (20 u.s.c. § 1232g; 34cfr part 99) Ozarka is required to comply with the Arkansas Freedom of Information Act (FOI) (Ark. Code Ann. § 25-19-101) and may be required to disclose records maintained in the daily operations of the college unless said records are specifically protected by federal or state regulations. Therefore, electronic communication and information could and would be made available upon being presented with a valid FOI request.

Ozarka employees, staff and students should consider the use of electronic media as being subject to disclosure. There is no expectation of privacy in electronic data that is retained by Ozarka unless said data is specifically protected by federal or state regulations.

This policy is intended to comply with Act 1713 of 2003 codified in ACA § 25-1-114.

The effective administration of information technology resources will ensure sustained access to information and technology for students, faculty, and staff in the long term. The ensuing regulations delineate acceptable uses of these resources and ensure their alignment with the fundamental operations of the College, encompassing teaching, learning, administration, and public service. These regulations are applicable to any entity or individual utilizing the Ozarka College information technology infrastructure and its associated resources.

The College bears the responsibility of managing its resources in the most efficient and effective manner, adhering to all pertinent laws, regulations, and prudent business practices, while concurrently safeguarding and upholding the principle of academic freedom

The following categories of use are inappropriate and prohibited:

1. Use in violation of law. The unauthorized use of Technology Resources in contravention of the law, encompassing civil or criminal statutes at the federal, state, or local levels, is strictly prohibited. Examples of prohibited activities include but are not limited to: promoting pyramid schemes, accessing or disseminating illegal materials, infringing upon copyright laws, and making terroristic threats.
2. Regarding copyright infringements, it's essential for Users to understand that copyright law regulates various activities, including copying, displaying, and utilizing software and other digital works such as text, sound, images, and multimedia. While the law allows for the use of copyrighted material without explicit authorization from the copyright holder for certain educational purposes, such as protecting specific classroom practices and under the doctrine of "fair use," it's important to note that an educational purpose alone does not automatically justify unauthorized use.
3. Users are prohibited from engaging in any activity that obstructs, disrupts, undermines, or otherwise harms the activities of others. This includes but is not limited to: denying or attempting to deny service to other users, resource hogging, misuse of mailing lists, dissemination of chain letters or virus hoaxes, spamming (i.e., indiscriminate sending of emails or postings without legitimate purpose), or inundating an individual, group, or system with excessive or large email messages. Additionally, any behavior that may lead to excessive network traffic or computing load is strictly prohibited.
4. The use of Technology Resources must align with the College's status as a nonprofit, public service organization, adhering to applicable federal, state, and local laws governing income sources, political engagement, property use, and similar matters. Consequently, commercial use of IT Resources for purposes unrelated to the College's mission is generally prohibited, unless explicitly authorized under College conflict-of-interest, outside employment, or related policies. Prohibited commercial use does not encompass communications and data exchange aimed at furthering the College's educational, administrative, and other functions, irrespective of any incidental benefit to external organizations. Commercial advertising is strictly prohibited unless authorized through a contract with the commercial vendor.
5. The use of Technology Resources to imply endorsement by the College of any political candidate or ballot initiative is strictly prohibited. Users are not permitted to utilize Technology Resources for lobbying activities that may suggest College involvement.
6. Technology Resources may only be utilized to communicate personal political opinions to an elected official if such expression falls within the scope of the employee's regular job duties or is specifically requested by an elected official or public entity.
7. Harassing or threatening use. This category encompasses harassing or threatening behavior, such as repeatedly contacting someone without their consent.
8. Use damaging the integrity of College or other IT Resources. This category includes, but is not limited to:
   • Users are strictly prohibited from attempting to bypass or compromise the security measures of any IT system. This includes actions such as "cracking" passwords, decoding information, or using someone else's identification or password. However, this provision does not restrict the IT Organization or Systems Administrators from employing security-related programs within the scope of their authority over the systems.
   • Unauthorized access or use. The College emphasizes the importance of upholding the integrity of data stored within IT Resources. Users are required to adhere to this principle by refraining from seeking unauthorized access to IT Resources and from aiding or permitting others to do so. For instance, individuals or organizations not affiliated with the College may not utilize non-public IT Resources without explicit authorization. While privately owned computers can be used to provide public information resources, they may not host sites or services for external entities across the College network without specific authorization. Moreover, Users are prohibited from accessing IT Resources that they do not have authorization to access. Additionally, deliberate and unauthorized alterations to data on an IT System are strictly forbidden. Users must not intercept or attempt to intercept data communications not intended for them, which includes actions such as "promiscuous" network monitoring, running network sniffers, or tapping phone or network lines.
   • Disguised use. Users must not conceal their identity when using IT Resources, except when the option of anonymous access is explicitly authorized. Users are also prohibited from masquerading as or impersonating others or otherwise using a false identity.
   • Distributing computer viruses. Users must not knowingly distribute or launch computer viruses, worms, or other rogue programs.
   • Modification or removal of data or equipment. Without specific authorization, Users may not remove or modify any College-owned or administered equipment or data from College property or IT Resources.
   • Use of unauthorized devices. Users must not physically or electronically attach any additional device to the IT infrastructure or related resources that impedes, interferes, or otherwise causes harm to the IT infrastructure or related resources.
9. Use in violation of external data network policies. Users must observe all applicable policies of external data networks when using such networks.

College Access
In accordance with state and federal law, the College may access all aspects of IT Resources, without the consent of the User. Such access will be made in circumstances including but not limited to the following:

1. When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the IT Resources; or
2. When authorized by federal, state, or local law or administrative rules; or
3. When there are reasonable grounds to believe that a violation of law or a breach of College policy may have taken place and access and inspection or monitoring may produce evidence related to the misconduct; or
4. When such access to IT Resources is required to carry out essential business functions of the College; or
5. When required to preserve public health and safety and/or system or data integrity or user privacy. College access without the consent of the User will occur only with the approval of the appropriate vice president, or their respective delegates, except when an emergency entry is necessary to preserve the integrity of facilities or to preserve public health and safety.
   • The College, through the Systems Administrators, will log all instances of access without consent. Systems Administrators will also log any emergency entry within their control for subsequent review by appropriate College authority. In addition to accessing the IT Resources, the College, through the appropriate Systems Administrator, may deactivate a User’s IT privileges, whether or not the User is suspected of any violation of this policy, when necessary to preserve the integrity of facilities, user services, or data. The Systems Administrator will attempt to notify the User of any such action.
   • By attaching privately owned personal computers or other devices to the College network, Users consent to College use of scanning programs for security purposes of those resources while attached to the network.
   • Most Systems Administrators routinely log user actions in order to facilitate recover from system malfunctions and for other management purposes. All Systems Administrators are required to establish and post procedures concerning logging of User actions including the extent of individually identifiable data collection, data security, and data retention.
   • Encrypted files, documents, and messages may be accessed by the College under the above guidelines

Enforcement Procedures

1. Complaint of Alleged Violations. An individual who believes that he or she has been harmed by an alleged violation of this policy may file a complaint in accordance with established College grievance procedures (including, where relevant, those procedures for filing complaints of sexual harassment or of racial or ethnic harassment) for students, faculty, and staff. The individual is also encouraged to report the alleged violation to the Systems Authority overseeing the facility most directly involved, or to the IT Organization which must investigate the allegation and (if appropriate) refer the matter to College disciplinary and/or law enforcement authorities.
2. Reporting Observed Violations. If an individual has observed or otherwise is aware of a violation of this policy, but has not been harmed by the alleged violation, he or she may report any evidence to the Information Systems department, which must investigate the allegation and (if appropriate) refer the matter to College disciplinary and/or law enforcement authorities.
3. Disciplinary Procedures. Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff, and students, as outlined in the applicable Handbook.
4. Systems Administrators and the IT Organization may participate in the disciplinary proceedings as deemed appropriate by the relevant disciplinary authority. Moreover, at the direction of the appropriate disciplinary authority, Systems Administrators, and the Information Systems unit are authorized to investigate alleged violations.
5. Legal Liability for Unlawful Use. In addition to College discipline, Users may be subject to criminal prosecution, civil liability, or both for unlawful use of any IT Resources.
6. Appeals. Users found in violation of this policy may appeal or request reconsideration of any imposed disciplinary action in accordance with the appeals provisions of the relevant disciplinary procedures.