This document sets forth Mott Community College (“college”) policy with regard to access to, review or disclosure of information via electronic media and all other forms of communications delivered or received by college employees, contractors, consultants, and temporaries (hereinafter, “personnel”). This policy does not constitute a contract and the college reserves the right to change it at any time.

Information systems include all methods of electronic communications including, but not limited to, the use of cell phones, telephones and voicemail, internet, message boards, email systems, instant messaging systems, and personal digital assistant (PDA) devices used for college business. The information systems are those used to carry out college business and include those provided to personnel at the College’s expense, those owned by personnel with the ongoing expenses paid for by the college or personal systems used to carry out college business. This policy applies whether information systems are standalone or connected to a network.

This policy defines baseline information security measures that everyone at college is expected to be familiar with and to consistently follow. These information security measures are the minimum required to prevent a variety of different problems including, but not limited to: unauthorized access to sensitive, protected information, fraud and embezzlement, sabotage, errors and omissions, and system unavailability. This policy also defines the minimum controls necessary to prevent legal problems such as allegations of negligence, breach of fiduciary duty, breach of confidentiality, breach of contract, or privacy violation.

This policy document details reasonable and practical ways for all of us at the college to prevent unnecessary losses and is in addition to any other college policies governing security and/or confidentiality. Information and information systems are necessary for the performance of just about every essential activity at the college. If there were to be a serious security problem with this information or these information systems, the college could suffer significant legal and/or other consequences, including loss of college stakeholders, and degraded reputation.

Policy Statements

Confidential Information

— Communications using information systems should be treated in the same way as confidential printed materials. Here are three common circumstances you should avoid where confidentiality of information can be breached:

  1. Leaving your workstation in an unsecured condition. This allows anyone with access to your workstation area to have full access to all of the information on your computer.
  2. A confidential message is printed on a printer in your office or on a shared printer down the hall. Anyone with access to that printer can view this document.
  3. An email (or other form of electronic media) is inadvertently sent to someone who was not intended to receive it.

Personnel must exercise a greater degree of caution in transmitting confidential information electronically (such as email) than they take with other means of communicating information, (e.g., written memoranda or letters) because of the reduced human effort required to redistribute such information:

  1. Confidential information should never be transmitted or forwarded to outside individuals or companies not expressly authorized to receive that information and should also not be sent or forwarded to other users inside the college who do not need to know the information.
  2. Always use care in addressing messages through electronic media (such as email) to make sure the messages are not inadvertently sent to outsiders or the wrong person inside the college. In particular, exercise care when using distribution lists to make sure that all email addresses are appropriate recipients of the information. Lists are not always kept current and individuals using lists should take measures to ensure that the lists are current.
  3. Refrain from routinely forwarding messages containing confidential information to multiple parties unless there is a clear business need to do so.

In order to further guard against dissemination of confidential information, personnel should not access electronic messages (such as email) for the first time in the presence of others. Personnel must also be careful not to discuss sensitive information when in public places like hotel lobbies, restaurants, and elevators. Displaying sensitive college information viewable by others on a computer screen or hardcopy report is prohibited when a user is in a public place, such as seated on an airplane.

Personnel must be careful not to provide sensitive information in voicemail messages or alphanumeric pager messages that could be accessed by someone other than the intended recipient of the information. Caution should also be used when using certain forms of information systems such as wireless devices (e.g., cell phones, PDAs, instant messaging, etc.). While these are often used to send business communications that aren’t a security risk, do not rely on them for confidential communications due to the possibility of compromise.


— The security of our information and information systems can be compromised if your passwords are easy to discover.

  1. Choosing Passwords—Users must choose difficult-to-guess passwords. Fixed passwords must not be found in the dictionary and must not be a reflection of the user's personal life. Passwords must include at least 3 of the following: one or more lower case characters; one or more UPPER case characters; one or more numeric digits - i.e., 0, 1, 2 etc.; one or more of these special characters: ! @ # $ % ^ & * ( ) - _ + = ~ ` ' [ ] { } | \ : ; < > , . ? / ! @ # % ^ & * ( ), or a space.
  2. Changing Passwords: If you suspect that somebody else may know your password, the password must be changed immediately. Please follow the ITS procedure to reset the passwords.
  3. Protecting Passwords: Personnel must maintain exclusive control of their personal passwords. Personnel must not share system or application passwords with anyone, at any time, under any circumstances. If an ITS representative needs to perform a service requiring a password, they will initiate a password change before and after providing service.
  4. Passwords must not be written down on a paper or sticky notes; Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access controls, or in any other locations where unauthorized persons might discover them.

Protection of sensitive information

- All sensitive information (such as personal records, social security numbers, financial accounts info, credit card numbers, medical records and information related to unique processes or devices patented by the college) must be encrypted when not in active use, e.g., when not manipulated by software or viewed by an authorized user. The use of physical security measures such as safes, locking furniture, and locking office doors is recommended as a supplementary measure to protect sensitive information. Information systems handling sensitive information must securely log all significant computer security relevant events. Examples of computer security relevant events include password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software. Use of an erase feature is not sufficient for deletion of sensitive information because the information may be recoverable. For technical support in deleting sensitive information, contact the ITS help desk.

External Disclosure of Security Information

— Information about security measures for college computer and network systems is confidential and must not be released to people who are not authorized users of the involved systems unless approved by the Director of Information Security.

Prohibited Activities

— Personnel must not test or attempt to compromise computer or communication system security measures unless specifically approved and directed by ITS. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise information security measures may be unlawful, and will be considered serious violations of college policy. Shortcuts bypassing system security measures, pranks, and practical jokes involving the compromise of information system security measures are prohibited. Unless specifically authorized by ITS, personnel must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information security. Examples of such tools include those that defeat software copy protection, discover sensitive passwords, identify security vulnerabilities, or decrypt encrypted files.

Mandatory Reporting and Incident Response

— All suspected policy violations, system intrusions, virus infestations, or other information security alerts that indicate a potential risk to college information or college information systems must be immediately reported to the ITS help desk.

Consequences of Non–compliance

— college management reserves the right to revoke system and account access privileges of any user at any time. Conduct that interferes with the normal and proper operation of college information systems, which adversely affects the ability of others to use these information systems, or that is harmful or offensive to others is not permitted. Non-compliance with this information security policy, and all related standards or procedures, is grounds for disciplinary actions up to and including termination of employment.

Information Systems Use Policy

— Inappropriate use of information systems can compromise information security. Therefore, you should also reference the college Information System Use Policy.