IS-1002 - Information Technology Use Policy
Release Date: 10/02/97
Revision 1: 02/25/04
Revision 2: 11/22/04
Revision 3: 03/12/07
Revision 4: 06/13/08
Revision 5: 09/04/13
Central New Mexico Community College (CNM) promotes and provides Information Technology (IT) resources that enhance educational services and facilitate job performance and College operations. These resources are shared by CNM students, CNM employees and the public at large. All persons using these systems share the responsibility for seeing that they are used in an effective, efficient, ethical, and lawful manner. The purpose of this administrative directive is to define acceptable and unacceptable uses of these resources and to delineate the rights of CNM and technology users.
- Instructional projects and homework as assigned to all students
- Business-related communication among CNM community members
- Mobile device access to CNM's networks which is compliant with this administrative directive as well as other CNM Administrative and Departmental directives
- Academic pursuits
- Research such as grants, contracts, course-related work, etc.
- Educational services such as instructor websites, Distance Learning, testing and assessment
- Operational purposes such as payroll, purchasing and student registration
- Management and operational communication (CNM Express, The Source, email, web, telecommunications, distribution)
- Use of email lists for academic or CNM work-related use
- Incidental personal use which does not adversely impact the college, employee productivity or other users' access to resources
- Transferring misleading messages and/or masking the origin of a message
- Violation of Intellectual Property Law (IP Law)
- The owner of a copyrighted work owns the rights to reproduction, modification, distribution, public performance and public display of these works
- This includes, but is not limited to, Copyrights and/or Patents as described in the Employee Handbook
- The user who violates IP Law may be subject to liability to owner for actual damages, statutory damages, profits, court costs and attorney fees
- The user who violates IP Law may also be subject to criminal fines and/or imprisonment
- Engaging in Prohibited or Illegal activities
- Compromising your or another's user account information (usernames and/or passwords)
- Divulging sensitive or restricted information
- Violating another's privacy
- Compromising system or network integrity
- Adversely affecting employee productivity as determined by the employee's supervisors or department management
- Accessing Offensive Material which can be viewed by an individual (other than the user) if the individual considers the material offensive
- Uses which violate other CNM policies, CNM directives or Government Regulations as outlined in "Applicable Related Documentation" below
- CNM owns and operates the network and reserves the right to restrict or limit access at CNM's discretion under this administrative directive.
- Access to CNM's technology resources is a suspend-able or revocable privilege
- CNM reserves the right to monitor systems and/or networks for compliance
- CNM is subject to Audits, both internal and external, of its systems and networks for compliance with applicable best practices, regulations, and other applicable laws
- CNM reserves the right to initiate a system and/or network forensic investigation at the direction of the Human Resources Department or the Office of the Dean of Students
- CNM reserves the right to protect the integrity of its IT resources
- ITS may block the network transmission of known attacks, malware and data flow to and from disreputable addresses as defined by several third-party databases while maintaining message integrity
- ITS may block other content under the direction of the CNM Executive Council
- CNM does not warrant IT resources to perform to any specifications
- CNM cannot protect individuals against malicious or inappropriate information
- CNM is not obligated to monitor networks or systems for compliance to this administrative directive
- CNM is not responsible for locally stored data (outside CNM's Data Centers)
- CNM attempts to ensure the privacy and security of its systems and networks, but CNM makes no guarantee or representation that any account, electronic mail or voice mail is private
- Users are personally responsible for maintaining backups of all data not stored on the network, such as the local desktop or documents directories
- Users may be held personally liable for data breaches which occur due to their own negligence
- Governing Board Handbook 9.03 - Inspection/Release of College Records
- Employee Handbook 4.03 - Sexual Harassment
- Employee Handbook 9.03 - Discipline
- Employee Handbook 11.03 - Copyright
- Employee Handbook 11.04 - Patents
- Employee Handbook 12.17 - CNM Technology Use Policy
- Student Code of Conduct
- Example Violations of ITUP - Violation Matrix (login required)
- IS-1003 Web Standards - (login required)
- IS-1004 Mobile Devices
- IS-1005 System Access
- IS-2062 Disciplinary Action - (login required)
- 3-Step Response to a Violation - (login required)
To maintain the integrity of CNM's Information Technology resources and systems it is necessary to identify common violations that can be addressed quickly to maintain effective technology use at CNM. Common violations are noted in the Violation Matrix (login required) and are identified as minor or major. This list is not intended to be all-inclusive but represents the types of offenses that are considered violations under this administrative directive. These violations apply to any device, whether CNM owned or personally owned, used to access CNM's systems and networks.
Engaging in activities that violate this, or other administrative directives, may result in loss of access privileges as well as possible disciplinary action (login required).
- Category 1 - Minor Violation
- A Category 1 (minor offense) (login required) is considered a low level offense involving non-threatening action that is offensive or disruptive. Low level offenses can also involve abuse or misuse of CNM technology systems or networks. Minor offenses include such things as drinking or eating in lab settings, or viewing images that may be offensive to another person in the area but are not illegal.
- All minor violations should be addressed using the 3-Step Response to a Violation (login required) process. Every attempt should be made to resolve minor violations satisfactorily using the lowest level of response possible.
- Any employee who is uncomfortable attempting to resolve a violation should contact an immediate supervisor. In the case of obvious threats to CNM systems and/or networks, contact the ITS Helpdesk. If a situation poses any danger or threat to individuals, please contact Campus Security (505-224-3002) immediately.
- Notification and documentation of minor violations are done according to IS-1002 ITUP. Any escalation of minor violations to major violations must follow the documentation and notification requirements of a major violation (login required).
- Repeated minor violations by an individual can be escalated to a major violation if the user refuses to comply with requests to discontinue the behavior.
- Category 2 and Category 3 Major Violations
- A Category 2 (major offense) (login required) involves suspected violations of international, federal, state, or local law, a system/network performance threat caused by reckless activity, or individuals who do not comply with requests to discontinue unacceptable activities identified as Category 1 (minor) violations. This can include individuals who become physically or verbally abusive in response to a request to discontinue minor violations.
- A Category 3 (major offense) (login required) involves obvious violations of federal, state, or local law or a system/network performance threat caused by intentional activity.
- In most cases it may be difficult to determine whether a violation is a Category 2 or a Category 3 until the investigation is complete. Although they may appear the same, intentional activity that violates Information Technology Use policy (Category 3) can result in more severe disciplinary action (login required) than reckless activity (Category 2).
- All Category 2 and Category 3 (major) violations should be addressed using the 3-Step Response to a Violation (login required) process.
- Any emergency situation that involves risk to an individual and/or property may dictate that the normal protocol is temporarily circumvented until a threatening situation is controlled. Campus Security is involved in major violations when there is a potential risk to students, personnel or the general public, or for other pertinent reasons that require Security's involvement.
- Major violations require the immediate notification of the next level of supervision in the normal reporting protocol structure. Suspicion of violations that can cause significant harm to individuals or CNMs systems and networks should be escalated immediately to the Human Resources Department or the Office of the Dean of Students. The ITS Helpdesk should also be contacted in case ITS needs to take immediate action to preserve operations. After hours, a recording refers callers to another number for assistance.
- Any inappropriate behavior resulting in students being temporarily removed from facilities must be reported immediately to the next level of supervision and the Office of the Dean of Students. Inappropriate behavior resulting in employees being temporarily removed from facilities must be reported to the next level of supervision and the Human Resources Department.
- Category 2 and 3 Violations require completion of the Information Technology Use Violation Report (login required). The report and any other support documentation or physical evidence must be submitted to the Human Resources Department or the Office of the Dean of Students.
- Employee violations are submitted to the Human Resources Department and student violations are submitted to the Office of the Dean of Students. Violations involving individuals from the general public are referred to the Office of the Dean of Students. The Human Resources Department and the Office of the Dean of Students acknowledge receiving Information Technology Use Violation Reports via email response to the submitting individual or area.
- The Human Resources Department or the Office of the Dean of Students will oversee investigations regarding suspected Information Technology use violations. They will determine if other CNM departments or outside agencies need to be contacted.
- All documentation and evidence gathered during an investigation is maintained by the office completing the investigation (the Human Resources Department or the Office of the Dean of Students) for a period of not less than 10 years. The document files are destroyed by the Records Retention Department when the retention requirements have been met.
3-Step Response to a Violation
The 3-Step Response to a Violation process is designed to assist CNM employees in responding to an Information Technology use violation. Step 1, Recognize, (login required) recommends identification and evaluation of what is actually happening. Step 2, Strategize, (login required) involves developing a plan for an appropriate response to the violation. Step 3, Respond,(login required) is based upon the category of the violation. Refer to the 3-Step Response to a Violation chart (login required) for clarification.
Permission to use a technology resource according to appropriate limitations, controls, and standards
Guiding principles, goals and processes established for College-wide use that influence and/or determine decisions and actions in compliance with Governing Board Policy.
Guiding principles, goals and processes established within specified work areas that influence and/or determine decisions and actions in compliance with Governing Board Policy and Administrative Directives.
Any individual, whether student, faculty, staff, or individual external to CNM, who has been granted access privileges to specific Information Technology resources.
A low level offense involving non-threatening action that is offensive or disruptive. Low level offenses can also involve abuse or misuse of the CNM technology systems or networks.
A suspected violation of federal, state or local law, or a system/network performance threat caused by reckless activity, or repeated Category 1 violations by an individual who does not comply with requests to discontinue their behavior.
An obvious violation of federal, state, or local law or a system/network performance threat caused by intentional activity.
Confidential Information or Data
Personal and personally identifiable information, (e.g., addresses, social security numbers, medical information) and other information as defined by the Confidential Materials Act, NMSA 1978-3A-2.
A representation of information in an organized manner that is stored, communicated, interpreted, or processed by automated means.
Data stored in a format that can be accessed, stored, and/or manipulated electronically.
This group includes registered students, regular and temporary faculty and staff, casual employees, and any individuals or entities approved by the CNM Administrative Vice President.
The document that contains Governing Board Policy regarding the guiding principles, goals and processes in use at CNM.
Information Technology services that provide critical operations to CNM. These services include, but are not limited to:
The technology involved in developing, maintaining, and using computer systems, software, and networks for the processing and distribution of data.
Original works of authorship fixed in any medium of expression. A work is fixed when made sufficiently permanent or stable to permit it to be perceived, reproduced, or otherwise communicated for a period of more than transitory duration. Motion media, text material, music, lyrics, music video, illustrations, photographs, trademarks, slogans, and patents are examples of intellectual property.
Data stored on CNMs systems and networks and/or generated by CNM employees while conducting College business.
An account that has been rendered inaccessible to the account owner. All files/data associated with the account remain intact and unchanged. An account may be locked by the System Administrator for a number of reasons including, but not limited to, account inactivity for a predetermined period of time, an ongoing security investigation, a violation of the Technology Use Policy, termination of employment, or discontinued association with the College. An account can be unlocked by the System Administrator when deemed appropriate.
(1) To check systematically or scrutinize for the purpose of collecting specified categories of data; (2) a device for recording or controlling a process or activity.
Works lacking in literary or artistic value depicting sexual acts in an offensive way appealing to prurient interests. Factors generally used to determine the obscene nature of materials are:
Text, images or other material that may be intimidating, hostile or harassing in nature or interpretation.
A combination of letters, numbers and/or symbols used to verify a person's access privileges to an Information Technology resource.
Personal Identification Number
Any document, paper, letter, book, map, tape, photograph, recording or other material, regardless of physical form or characteristics, that is used, created, received, maintained or held by or on behalf of any public body and relates to public business, whether or not the record is required by law to be created or maintained.
Student Code of Conduct
The document that defines the behavioral expectations of students. It contains the student discipline processes and procedures to be followed if a student violates the established Code of Conduct.
The official CNM publication in which the Student Code of Conduct and other policies/guidelines related to student behavior is published. All students should keep a current copy of this publication to serve as a reference regarding behavioral issues or questions.
The individual responsible for the administration of resources on a system which includes: (1) access privileges; (2) physical resources; (3) installation and service/upgrades of software and hardware; (4) configuration of software and hardware; (5) securing software and data; (6) ensuring the performance and capacity of a system.
The centralized source of CNM Governing Board Policy, administrative directives and procedures that determine College-wide standard practices regarding principles, goals and processes.
Any individual, whether student, faculty, staff, or individual external to CNM, who uses CNM Information Technology resources.
Governing Board Handbook 9.03, Inspection/Release of College Records
Employee Handbook 4.03, Sexual Harassment
Employee Handbook 9.03, Discipline
Employee Handbook 12.17, CNM Technology Use Policy
Student Code of Conduct
Family Educational Rights and Privacy Act 1974
Governing Board Handbook 9.03, Inspection/Release of College Records