Network Operations and Security

Ethernet Cables Connected

See Also: Policy 4810 - TMCC Telecommunications Use

Procedure

TMCC computer resources are property of TMCC and may be used to assist users in the performance of their jobs. Use of TMCC computer resources is a privilege that may be revoked at any time.

Unauthorized use or access of TMCC computer resources is prohibited. Use of TMCC computer resources implies acceptance of the rights and responsibilities included in the TMCC Telecommunications Use policy.

The privacy of users of TMCC computer resources is carefully guarded but cannot be guaranteed. Examination of information accessed or stored on the system may occur if authorized by the appropriate authority(ies).

The following procedures apply to the security and operation of the TMCC computer network and applies to all academic and administrative users unless specified below. Failure to follow these procedures is a violation of the TMCC Telecommunications Use Policy. Violations will be taken seriously and may result in disciplinary action, including possible termination.

It is every employee's duty to use TMCC's computer resources responsibly, professionally, ethically and lawfully.

Definitions

  • Computer resources refers to TMCC's entire computer network. Specifically computer resources includes, but are not limited to: host computers, routers, switches, file servers, application servers, communication servers, mail servers, fax servers, Web servers, computer workstations, stand-alone computers, mobile devices such as laptops, tablets, and smartphones, software, data files, and all internal and external computer and communications networks (for example, internet, commercial online services, value-added networks, email systems, that may be accessed directly or indirectly from the TMCC computer network). TMCC’s computer network is separated for administrative and academic use.
  • Users refer to all employees, independent contractors, consultants, temporary workers, and other persons or entities that use our computer resources.

Computer Resource Access

  • All users of TMCC administrative computer resources must first complete and submit a TMCC Network Access Security Application (NASA) online form. The submission of this form is required to gain access to various administrative TMCC computer resources and applications including email, mainframe and databases.
  • When a TMCC employee changes departments within TMCC or leaves the employment of TMCC, the TMCC Network Access Security Application (NASA) online form must be submitted by the individual's supervisor/department to either change the access of the individual or request the individual's access be deleted.
  • All TMCC-owned computer resources must first be configured by the TMCC Information Technology (IT) department before release to the customer for business use and before access to TMCC's wired or wireless network. At a minimum, this typically includes installation of TMCC software and configuration of network settings.

Physical Security

  • Users are responsible for securing their computer workstation, preventing malicious users from gaining immediate access to TMCC computer resources.
  • When an individual leaves the employment of TMCC, the user profiles assigned to that individual will be removed from their primary computers prior to being assigned to another employee, thus eliminating the possibility that any personal information remains on the computer.
  • Computers connected to the administrative network will automatically have a screen lock enabled after 10 minutes of inactivity.
  • Computer room security is governed by the TMCC Computer Room Access policy.

Network Logins

All computers connected to the TMCC network require logins to the TMCC network.

Use of the TMCC Network

A user's ability to connect to other computer systems through TMCC computer resources or other means does not imply a right to connect to those systems or to make use of those systems unless specifically authorized by the operators of those systems or by appropriate TMCC authorities.

Each user is responsible for ensuring that use of outside computers and networks, such as the internet, does not compromise the security of TMCC's computer network. This duty includes taking reasonable precautions to prevent intruders from accessing TMCC computer resources without authorization and to prevent the introduction and spread of viruses. This is primarily accomplished by not circumventing and allowing antivirus programs to operate on and scan data on their computer workstations on a daily basis; and security protocols issued by the TMCC IT Department and installed on their computer workstations to operate.

Allowing malicious code to run on computer resources or broadcasting unregulated data traffic over the TMCC network is prohibited.

Access

Unauthorized access is prohibited. By continuing to use this network and computer system, users accept the rights and responsibilities in the Truckee Meadows Community College Telecommunications Use Policy (effective March 2005).

Any devices connected to TMCC's network either through a direct Ethernet connection or wireless connection must have the device's Media Access Control (MAC) addresses registered with the TMCC IT department. The TMCC IT department will then set the IP address(es) that the device is allowed to use for access to the internet or other TMCC computer resources.

Access to the TMCC administrative network from a modem or non-TMCC wireless access point (WAP) or mobile hotspot connection originating within a TMCC location (i.e., Dandini Campus, Meadowood Center, IGT Applied Technology Center, Performing Arts Center, Health Science Center, etc.) is not allowed unless specifically established or authorized by the TMCC IT department.

Administrative computing devices on the TMCC network that must be accessed from an outside location must receive prior approval from the TMCC IT Department. The TMCC IT Department will establish the connection protocol that must be followed to access the internal computer from the outside. This is normally accomplished via a TMCC-provided virtual private network (VPN) connection.

Privacy

User privacy is carefully guarded but cannot be guaranteed.

Examination of information stored or accessed on the system may occur if authorized by the appropriate authorities.

Users may not alter or copy a file belonging to another user without first obtaining permission from the owner of the file. Ability to read, alter, or copy a file belonging to another user does not imply permission to read, alter, or copy that file.

Users may not use the computer system to "snoop" or pry into the affairs of other users by unnecessarily reviewing their files and email.

FTP

Customers using the file transfer protocol (FTP) to transfer files to and from the TMCC network should recognize that FTP is not a secure method of file transfer.

Remote Access

Remote access to and from TMCC computer workstations must be approved by Information Technology. Typically, remote access is strictly controlled for security reasons.

Computers personally owned by TMCC employees (desktop computers, laptops, etc.) are not to be physically connected to the TMCC network since there is no guarantee the employee's systems are actively protected with the most current antivirus or anti-SPAM signature files or have not been compromised by hackers.

Wireless Network Security

Wireless network connections are on a shared network.

Users of the wireless network must take every precaution to protect their devices from outside attacks. Sensitive or confidential data must only be transmitted using wired networks. Customers use wireless networks at their own risk, since wireless data traffic can be obtained by untrusted or unknown entities.

Since the wireless network is shared, it is more susceptible to viruses and other network attacks than the TMCC wired network. Note that if problems occur on the wireless network, the network can be disconnected without notice at any time.

Other than providing internet access, direct access into TMCC computer resources via a wireless network is normally not allowed. Users must authenticate through provided security systems to gain authorized right to use TMCC computer resources.

TMCC administrative use laptops must connect to their primary, home subnet via a wired network drop to cache current domain authentication credentials within 90 days of use elsewhere. Wired connections for laptops other than on their primary, home subnet are not supported without prior notice and approval.

Wireless Access Points (WAPs)

In order to ensure the security of the overall TMCC network, only TMCC-provided WAPs are to be used to access the TMCC network. Non-TMCC WAP or mobile hot spot devices are normally not allowed and when detected will be shunned from network access.

If a non-TMCC WAP or mobile hot spot is allowed by the TMCC IT department to be used, the device must have its Media Access Control (MAC) addresses registered with the TMCC IT department.

The TMCC IT Department will then set the IP addresses the WAP is allowed to use for accessing the internet or other TMCC network resources. However, if other TMCC-owned network devices are available for providing the same connectivity, the TMCC resources must be used.

Email

  • Generic login names for accessing TMCC's Google Apps for Education email are not allowed on TMCC's network.
  • Although departmental email accounts may be established to facilitate contact with customers or other department work, in order to access any TMCC Google Apps for Education email account, the user must have an individual TMCC Google Apps for Education email account login name.
  • All email messages processed by select TMCC mail servers will be subjected to an automated scanning process to (1) determine the likelihood that messages are SPAM and (2) detect viruses. Messages will be delivered, delivered with warnings, or rejected accordingly.
  • Email stored on TMCC's Google Apps for Education system is automatically deleted for messages that have been in Trash for more than 30 days or if purged from the Trash by the email account owner.
  • Tiny URLs are discouraged from use since they hide the real URL.
  • Refrain from sending emails of a personal nature to the TMCC "All Mailboxes" address unless they are business related.
  • Personal emails that are of general interest should be referred to the Marketing and Communications Office for inclusion in the appropriate TMCC eNewsletter.

Personally Identifiable Information (PII) and FERPA Email Guidelines

Guidelines that should be followed when communicating FERPA-related information over email:

  • If there is a need to transmit a file with Personally Identifiable Information (PII) to another TMCC employee, use the Secure Information Transfer System (SITS).
  • Personally identifiable information (PII) is never to be included in the subject line of any email, screen shots, IM or "chat". If a subject line contains a Social Security Number or NSHE ID number, then a violation of FERPA has occurred.
  • Social Security Numbers are never to be sent via email.
  • The NSHE ID and student name can be sent within the body of an email and as an attachment. Emails containing FERPA-related information may only be sent to the "official" NSHE or institution email address of the authorized recipient (i.e., nshe.nevada.edu, unr.edu, unlv.edu, tmcc.edu, washoeschools.net, etc.).
  • FERPA-related email may not be sent or forwarded to a personal address such as one associated with Gmail, Hotmail, or Yahoo. Students should be required to use the provided TMCC email so that staff and faculty have reasonable certainty that communications are with the appropriate individual.
    Should you receive an email from a student’s personal email the response will be:
    "Thank you for your email. In order to protect students’ privacy and to comply with federal law regarding student records (Family Educational Rights and Privacy Act, FERPA ), Emails containing FERPA related information will only be sent to the official Institution e-mail address of the authorized recipient (tmcc.edu). FERPA related email will not be sent or forwarded to a personal address such as one associated with Gmail, Hotmail, or Yahoo. Grades will not be emailed. You will need to use your TMCC provided student email account to communicate with TMCC departments, faculty and staff. Please check your TMCC email regularly for communications from the College."
  • Emails containing FERPA-related information should be deleted when the task/subject is completed.
  • Do not email or publicly post grades. An unauthorized release of grades to someone who is not a school official can result in the institution being found to be in violation of FERPA.
  • All email must include a disclaimer or tagline:
    "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persona or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer."
    (Disclosure and directory information BOR Handbook Title 4, Chapter 1, Section 26.)
  • The term "personally identifiable information"includes, but is not limited to:
    • The student’s name;
    • The name of the student’s parent or other family members;
    • The address of the student or student’s family;
    • A personal identifier, such as the student’s Social Security Number, student number (NSHE/TMCC ID), or biometric record;
    • Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
    • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and/or
    • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. (34 CFR § 99.3)

Virus Detection

Viruses can cause substantial damage to computer systems. Each TMCC user is responsible for taking reasonable precautions to ensure he or she does not introduce viruses into TMCC's computer network.

Virus Scanning

All material received on external storage devices or media, and all materials downloaded from the internet or from computers or networks that do not belong to TMCC, must be scanned for viruses and other destructive programs before being placed onto the computer system.

Users should understand that their home computers and laptops may contain viruses. All data transferred from these computers to TMCC computer resources must be scanned for viruses.

TMCC conducts virus scanning to reduce the number of viral attachments reaching TMCC users. Messages containing attachments are subjected to virus scanning and those determined to be viral will be rejected with an error. No notification will be sent by TMCC to the intended recipient. No notification will be sent by TMCC to the sender. Such messages may be quarantined for further analysis.

Antivirus Software

TMCC is licensed for antivirus protection software for Intel-based computers and Macintosh computers.

User should not disable the antivirus software or install any other antivirus software on TMCC computers without receiving permission from Information Technology.

TMCC desktop computers, laptops and tablets must have the College's current antivirus software installed, updated with the latest antivirus signature and actively running.

If an individual’s personal desktop or mobile device that is connected to TMCC computer resources gets infected, but does not have the College's current antivirus software installed (for desktop/laptop/tablet devices only), updated with the latest antivirus signature and actively running, the College is not responsible for fixing any problems that occur on the user's desktop or laptop computer as a result.

Virus Warnings

If TMCC employees receive warnings about viruses from sources outside of the TMCC IT Department, they should forward those warnings to the TMCC IT Department for validation. If validated and warranted, the TMCC IT Department will issue a campus-wide alert about the virus.

Passwords

  • Users are responsible for safeguarding their passwords for access to the TMCC computer system.
  • Individual passwords should not be written down, printed, stored online, or given to others.
  • Users are responsible for all transactions made using their passwords.
  • No user may access the computer system with another user's password or account.
  • Use of passwords to gain access to the TMCC computer system or to encode particular files or messages does not imply that users have an expectation of privacy in the material they create or receive on their computer or on TMCC computer resources.
  • At no time will generic passwords be issued to allow multiple users to use the same password for accessing TMCC computer resources.
  • Passwords expire every 90 days.
  • Users are responsible for changing their network password often. This should be done every two to three months. If users suspect account tampering, users should change their password immediately and report the tampering to IT Customer Service.
  • Do not use birth dates, home phone numbers, etc.
  • Minimum security requirements:
    • At least 8 characters;
    • Must be unique (not been used in the previous 24 passwords);
    • Does not contain your account or full name;
    • Contains all of the following character groups:
      • English uppercase characters (A through Z);
      • English lowercase characters (a through z);
      • Numerals (0 through 9);
      • Non-alphabetic characters (such as !, $, #, %)
  • Register your password on the Password Reset System to allow self-service password resets.
  • If users allow others such as friends, family or colleagues to use their account, they are violating TMCC and NSHE policy.
  • TMCC-owned mobile devices will have a screen password enforced; personal mobile devices that access TMCC data should have a screen password enabled.

User Maintained Servers

Users must inform the TMCC IT Department of any personal or College servers not maintained by TMCC IT staff running on the TMCC network. This includes servers hosting web pages that are linked to the TMCC website. The information provided will include the physical location, IP address and MAC address of the server and the URL of any web pages originating from the server. This is to ensure the server receives appropriate internet access and proper security patches and updates are applied.

Web pages should be hosted on servers maintained and monitored by the TMCC IT Department.

Administrative Rights

Faculty and staff at TMCC are provided with computers in order to complete the tasks required for their job. These computers are the property of TMCC, not the individual employee, and are set up to ensure the primary software required is configured and operating properly (i.e., email, word processing, spreadsheets, etc.).

TMCC is able to ensure only authorized users log in to TMCC computer resources.

Normally, those using TMCC computers with the Windows operating system are given "Power user" rights. This allows the individual the ability to perform most common tasks, such as running applications, using local and network printers, changing desktop screensavers and wallpaper, and shutting down the computer.

Only TMCC IT department staff are typically given "administrative" rights. Not granting administrative rights allows the College to ensure the software loaded on TMCC computers is compatible with current desktop operating systems. By not granting administrative rights, the College enforce the TMCC Telecommunications Use policy by ensuring that individuals:

  • Cannot knowingly or carelessly perform an act that will interfere with the normal operation of computers, terminals, peripherals, or networks;
  • Cannot knowingly or carelessly run or install on any computer system or network, or giving to another user a program intended to damage or to place excessive load on a computer system or network. This includes, but is not limited to, programs known as computer viruses, Trojan horses, and worms;
  • Cannot violate terms of applicable software licensing agreements or copyright laws.

Academic department chairs may request administrative rights be granted to an academic faculty member within their department by sending a request to IT Customer Service.

If a TMCC user has been granted administrative rights, that user will have placed themselves at risk from either attacks from other computers (inside or outside of the network) or from problems caused by mismanagement of their own computer. In either case, if problems occur, it will be extremely difficult for the TMCC IT Department to troubleshoot the user's computer quickly .

If the user's computer is found to be the cause of problems on the TMCC network or if they have other problems caused by mismanagement of their own computer, the only recourse to the TMCC IT Department will be to shut down the user's computer system and restore it to the base image previously established for the model of computer in use.

The faculty member should feel free to contact IT Customer Service to periodically update the base image of their computer to proactively assist with updates to their computer workstation.

Physical Cables

Network connection cables must be no longer than 10 feet to be used on the network.

Backups

Backups are created for data residing on servers maintained by TMCC IT.

  • Daily incremental backups are maintained for up to two weeks.
  • Weekly full backups are maintained for six months to one year depending on storage capacity. Weekly backups are stored at two TMCC sites for disaster recovery purposes.
  • Quarterly full backups are maintained for one year. Quarterly full backups are stored at the TMCC disaster recovery site.

Exclusions

  • In user's home directories, the following file types are excluded from backup: AAC, AVI, GIF, JPEG, JPG, M4?, MOV, MP?, MPEG, PNG, RAM, TIF, TIFF, WAV, WMV
  • Temporary file types are excluded from all backups.

TMCC IT does not backup user devices, such as workstations, laptops, mobile devices, etc., or personal devices.

  • Users should maintain their own backups for data that is not backed up by TMCC IT.
  • Data backed up for the user by external providers (cloud backup, etc.) must be evaluated prior to determining if the external provider complies with any legal regulations over that data (FERPA, HIPAA, etc.). See Also: TMCC Policy #4816: Computer Hardware and Software Purchases
  • It is recommended to keep at least quarterly backups stored at a secure location that is different from the primary data storage location.

Google Apps

Google Apps backups are performed by an independent third-party backup system, SysCloud.

  • Backups run three times daily on a variable schedule.
  • Each user is allocated a fixed amount of backup space.
  • Up to 5 previous versions of documents will be maintained, if the user has enough free space.

VPN/Remote Access

If anyone is provided remote access to your TMCC-owned resource for valid, business-related purposes, users are responsible for ensuring PII or sensitive information is not exposed.

Maintenance Windows

Maintenance may be performed on any TMCC computer system (network battery systems, cabling, servers, switches, routers, etc.) prior to 7:30 a.m., Monday through Friday.

As a courtesy, IT attempts to inform the campus community when such maintenance occurs, but notification may not always occur. If computer systems are not available prior to 7:30 a.m., ongoing maintenance is probably the reason. The major maintenance periods when network services may not be available are 5 p.m. on Saturday evenings to 8 a.m. on Sunday mornings, as well as 8 p.m. to midnight on Sunday evenings.

Network Capacity

TMCC may require users of Information Technology resources to limit or refrain from specific usage. TMCC will judge the reasonableness of any particular use in the context of all of the relevant circumstances.