Technology Acceptable Use Policy

 

1.       Overview and General Principals

New England Conservatory (NEC) allocates technology resources to employees to perform their position and/or departmental duties in support of departmental, operational and organizational goals.

These technology resources include, but are not limited to, voice and data technology infrastructure components and services owned, leased and/or provided by NEC; wired and wireless services; directory, internal and externally-assigned IP addresses, file, database, voicemail, email and print services; all server, network and local computer data, including email messages; named employee user, departmental and role accounts; employee allocated computing equipment (hardware, software and peripherals) and internet access. The I.T. Services department is responsible for the procurement, management and monitoring of these technology resources on behalf of NEC.

Employees must make accommodations for the I.T. Services department to access technology resources for the purpose of troubleshooting, maintenance, replacement or repair. Some critical issues prevent advance scheduling or notification and employees should defer judgment regarding the necessity and urgency of certain work.

Employment constitutes acknowledgement and acceptance of this policy. It is the responsibility of all employees to be aware of this policy and to abide by its terms.

2.       Monitoring Disclosure

All technology services, components and data created or modified using NEC technology services remain the property of NEC and are subject to monitoring, inspection and/or evaluation in order to assure technology service integrity; business operations and continuity and compliance with NEC policies and state and federal laws.

Use of select technology services (i.e. wireless service and Internet access) is an employee privilege granted by the Conservatory if such use does not violate this policy or interfere with the execution of the employee’s job duties. Extensive or inappropriate personal use of technology resources may result in disciplinary action up to and including termination of employment.  Accordingly, employee computing data is not private and NEC reserves the right to monitor and/or access employees and non-employee users of any and all technology resources with or without notice.

Therefore, employees should not have any expectation of privacy when using technology services. Any unauthorized or inappropriate use discovered during such monitoring activities will constitute a violation of this Policy.

3.       Responsible and Ethical Technology Use

 

Employee technology resource use is expected to be responsible, ethical, and legal. In general, this means respecting the integrity of the computing systems, networks, services and data in support of departmental, operational and organizational goals. The following list, though not exhaustive, provides some guidelines for responsible and ethical behavior:

        Abide by all applicable laws. Do not violate any Federal, State, local law or ordinance.

        Use only computers, computer accounts, and computer files for which you have been authorized. Unauthorized technology resource access is strictly prohibited.

        Use technology resources for Conservatory related work, only. Activities that would jeopardize the Conservatory’s tax-exempt status are prohibited. Persons are not permitted to engage in personal business, consulting or other similar ventures using NEC technology resources.

        Do not engage in unlawful, malicious or disruptive activities.

        Do not view or distribute obscene, pornographic, profane, or sexually oriented material.

        Do not violate laws, rules and regulations prohibiting sexual harassment.

        Do not encourage the use of controlled substances for criminal or illegal purposes.

        Do not create or distribute messages containing defamatory, false, inaccurate, abusive, threatening, racially offensive or otherwise biased, discriminatory or illegal material.

        Do not deliberately obtain, create or distribute incendiary statements to incite violence or promote the use of weapons in the execution of a crime.

        Do not send or post information that is defamatory to the Conservatory, its products/services, colleagues, employees, students and/or customers.

        Do not obtain, share or exchange confidential, proprietary information, trade secrets, or any other privileged, confidential, sensitive or proprietary information.

        Treat computing resources and data as a valuable Conservatory resource. Do not make unauthorized copies of NEC data. Protect NEC’s data and the systems you use.

        Abide by all applicable copyright laws and licenses.  Do not download, copy or pirate software and/or electronic files that are copyrighted or without authorization. NEC policies and the law expressly forbid the copying of software that has not been placed in the public domain or distributed as “freeware” or “shareware.” Reproduction of copyrighted material is subject to the Copyright laws of the United States (Title 17, U.S.C.). Infringement of copyright may subject persons to fines and penalties.

        Take due precaution against the spread of computer viruses. Do not maliciously attempt to propagate viruses; attempt to gain unauthorized access to systems or accounts, applications or other data; intentionally cause congestion, disruption, disablement, alteration, impairment or intentionally jeopardize NEC’s networks or systems.

        Do not modify or tamper with network wiring hardware and jacks. Network services and wiring may not be extended beyond the port provided. Retransmission or propagation of network services is prohibited without explicit permission. This includes the installation of hubs, switches, wireless equipment and/or any/all personal computer equipment.

        The following activities are specifically prohibited: disclosing your password to others; using somebody else’s account to gain access to NEC systems; use of illegal software on the system; copying, altering or deleting someone else’s files without that person’s permission; forging messages; cracking passwords and systems; sending harassing or threatening messages; The sending of unauthorized anonymous messages; the sending of bulk unsolicited messages; reading someone else’s files without permission; system attacks; denial of services; and other malicious uses of the network and systems.

 

4.       Account and Passwords

Employees are assigned NEC accounts for conducting organization business. This account follows a first.lastname standard and provides the employee with email (first.lastname@necmusic.edu ), computer and network server access according to their job and responsibilities.

All employees who are assigned accounts must keep their login information secure and not share their account info.

Employees must not attempt to gain access to resources not specifically granted to them without explicit authorization. This includes, but is not limited to, trying to access network data without proper authorization, accessing another NEC user’s computer or data without proper authorization, or logging on to NEC computer resources using another user’s username and password.

Employees should not knowingly permit any non-authorized persons to use NEC technology resources except for the purposes of presentation or demonstration while in the presence of authorized employee.

All unauthorized account, system or service access is strictly prohibited.

5.       Password Policy:

Currently, all staff employee’s account passwords must comprise of the following:

        Minimum length: 8 characters

        Must contain:

§  An Upper case

§  A lower case characters

§  A base 10 digits (0 through 9)

§  A non-alphanumeric character: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

 

        Maximum duration of password:  180 days

        Minimum duration of password:  7 days

 

An automated system will send an email message to the employee to notify them of password expiry. The first message will be sent thirty days in advance, followed by daily messages starting five days prior to expiration. If the employee does not change their password, they will be locked out and will need to contact the I.T. Services department.

 

6.       Computing Equipment

All computing equipment allocated to an employee or department remains the sole property of the New England Conservatory. As stated earlier, procurement and allocation of computing equipment is managed by the I.T. Services department. Computing equipment allocation may be modified at any time based upon Organizational priorities, needs or goals. Any proposed modifications to allocated Computing Equipment must be proposed to and approved by the I.T. Services department. The use of software that was not purchased, licensed and/or authorized by NEC is strictly prohibited.

Employees must make every reasonable effort to keep any equipment allocated to them clean and in good working order. Any damage to Computing Resources beyond what is reasonably considered to be “normal” will be considered the responsibility of the employee who has been assigned to that equipment.

Portable storage devices, such as USB or external hard drives may be connected provided they are allowed to be scanned by the computer resource’s antivirus/malware detection software to ensure they do not contain service disrupting virus or malware.  Upon request, the I.T. Services department will provide removable media to staff who need them for NEC-related work.  

Laptops - Employees issued a laptop are responsible for the condition, physical security of and prevention of unauthorized access to the item for the duration of the assignment. This equipment is for NEC business use, only, and not for personal use. All allocated items must be returned in in good, clean and working order. If not, the employee may be held personally responsible for full replacement cost of the item. If the NEC item is lost or stolen the representative must notify the IT Services department immediately.

Loaner Equipment - Employees borrowing loaner equipment, such as an LCD projector or ‘loaner’ laptop, are responsible for the condition, physical security of and prevention of unauthorized access to the item for the duration of the loan. All borrowed items must be returned in good, clean and working order. If not, the employee may be held personally responsible for full replacement cost of the item. If the NEC item is lost or stolen the representative must notify the IT Services department immediately.

Employees may not physically connect any personal devices to the NEC network without the explicit, written permission of the I.T. Services department.

7.       Email

Email accounts are provided to employees for conducting NEC business, only.

Employees are responsible for managing their email mailbox and messages. Email data storage is a shared resource and all employees must remain mindful of their email quota. An automated informational message will be generated and sent to the employee when the quota is being reached. The employee is then expected to delete unneeded messages that are no longer needed to remain below the quota threshold.  

Personal email communication should always be conducted via personal email accounts (i.e. gmail, AOL, Yahoo, etc.) outside NEC. It is the individual employee’s responsibility to communicate to personal contacts that personal correspondence should be sent to your personal email address, only.

Remote access to NEC email is available at: https://mail.necmucic.edu

Employees need to use their NEC account and password for access.

For additional assistance with remote or mobile email access, employees should visit the I.T. Services Department in room SB228, or contact them via itshelp@necmusic.edu or by calling 617-585-1235.

As stated earlier, all email communication conducted via NEC email servers are considered Records and remain the sole property of NEC. These records are subject to record management retention and policies. NEC reserves the right to monitor E-mail accounts and/or messages to ensure compliance with these policies and regulations. Sending data via E-mail is the same as sending correspondence on official memo or letterhead.

Email Etiquette:

Here are some general guidelines for effectively communicating via email:

 

·         Make your message easy to read.

·         Include a clear, direct subject line, be concise and to the point.

·         Proofread every message. Use proper spelling, grammar and punctuation.

·         Think twice before hitting "reply all."

·         Use CC or BCC sparingly.

·         Never use profanity, threatening language, inappropriate or offensive jokes or stories, etc.

·         Know that people from different cultures speak and write differently.

·         Do not come across as sounding abrupt.

·         Be cautious with humor.

·         Reply to your emails — even if the email wasn't intended for you.

·         Do not assume email is a private conversation.

·         Do not send confidential messages via email.

 

8.       Internet Usage

Use of the Internet by employees of is a privilege and permitted and encouraged where such use supports NEC’s goals and objectives. Employees are expected to use the Internet responsibly and productively for job-related activities and personal use should be limited.

The equipment, services and technology used to access the Internet are the property of NEC and the company reserves the right to monitor Internet traffic and monitor and access data that is composed, sent or received through its technology services.

Violation of these policies could result in disciplinary and/or legal action leading up to and including termination of employment. Employees may also be held personally liable for damages caused by any violations of this policy.

9.       Social Media

Social media has changed the way people communicate and NEC views social media and networking sites as powerful tools to strengthen our brand and to further the organization.

Social media is a rapidly changing landscape of products and services, including; web forums; blogs; online profiles; wikis; podcasts; photos and video; email and instant messaging/texting to name a few. Some examples of social media sites include LinkedIn, Facebook, SnapChat, MySpace, wikipedia, YouTube, Twitter, Yelp, Flickr, Second Life, Yahoo or Google groups, Wordpress, ZoomInfo.

When you are participating in social networking, you are representing both yourselves personally and NEC. It is not NEC’s intention to restrict your ability to have an online presence and to mandate what you can and cannot say. NEC believes social networking is a very valuable tool and continues to advocate the responsible involvement of all employees in this space. While NEC encourages this online collaboration, we would like to provide a set of guidelines for appropriate online conduct and to avoid misuse of this communication medium.

Policy Guidelines:

·         Do not post any financial, confidential, sensitive or proprietary information about The New England Conservatory of Music (NEC) or about any of our students or employees.

·         Speak respectfully about our current, former and potential students, employees and competitors. Do not engage in name-calling or behavior that will reflect negatively on your or NEC’s reputations. The same guidelines hold true for NEC vendors and business partners.

·         Beware of comments that could reflect poorly on you and NEC. Social media sites are not the forum for venting personal complaints about supervisors, co-workers, or NEC.

·         As a NEC employee, be aware that you are personally responsible for the content you post.

·         Use privacy settings when appropriate. Remember, the Internet is immediate and nothing posted is ever truly private nor does it expire.

·         If you see unfavorable opinions, negative comments or criticism about yourself or NEC, do not try to have the post removed or send a written reply that will escalate the situation. Forward this information to Human Resources and the Marketing Department.

·         If you are posting to personal networking sites and are speaking about job related content or about NEC, identify yourself as an NEC employee and use a disclaimer and make it clear that these views are not reflective of the views of NEC. “The opinions expressed on this site are my own and do not necessarily represent the views of NEC.”

·         Many sites like Facebook and Twitter blur the lines between business and personal. Keep this in mind and make sure to have a balance of information that shows both your professional and personal sides. And always balance negative with positive comments.

·         Be respectful of others. Think of what you say online in the same way as statements you might make to the media, or emails you might send to people you don’t know. Stick to the facts, try to give accurate information and correct mistakes right away.

·         Do not post obscenities, slurs or personal attacks that can damage both your reputation as well as NEC’s.

·         When posting to social media sites, be knowledgeable, interesting, honest and add value. NEC’s outstanding reputation and brand is a direct result of our employees and their commitment to uphold our core values of Integrity, Dedication, Teamwork and Excellence.

·         Do not infringe on copyrights or trademarks. Don’t use images without permission and remember to cite where you saw information if it’s not your own thoughts.

·         Be aware that you are not anonymous when you make online comments. Information on your networking profiles is published in a very public place. Even if you post anonymously or under a pseudonym, your identity can still be revealed.

·         If contacted by the media refer them to the Marketing Department.

NEC may monitor web content and reserves the right to remove posts that violate this policy.

Users who violate the Policy may be subject to discipline, up to and including termination of employment. If you have any questions about this policy or a specific posting out on the web, please contact the Human Resources department.

 

10.   WISP

Purpose of this Policy:

 

NEC recognizes its need to maintain the confidentiality of Personal Identity Information (PII) and understands that such information is unique to each individual. The PII covered by this policy may come from various types of individuals performing tasks on behalf of the Conservatory and includes employees, faculty, students, independent contractors and any PII maintained on its customer base. The scope of this policy is intended to be comprehensive and will include Conservatory requirements for the security and protection of such information throughout the Conservatory and its approved vendors both on and off work premises.

 

Departments named in this policy have delegated authority for developing and implementing procedural guidance for ensuring that their departmental responsibilities under this policy are communicated and enforced.

 

Definitions:

 

Personal Identity Information (PII): Unique personal identification numbers or data, including:

 

        Social Security Numbers (or their equivalent issued by governmental entities outside the United States).

        Taxpayer Identification Numbers (or their equivalent issued by governmental revenue entities outside the United States).

        State or foreign drivers license numbers.

        Bank account numbers.

        Corporate or individually held credit or debit transaction card numbers (including PIN or access numbers) maintained in organizational or approved vendor record

       Electronic identification codes (need to be validated

       Automated or electronic signatures (need to be validated

 

For context, the definition of Personal Information according to Massachusetts regulations is: a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

 

PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy.

 

NEC representative: employee, staff, faculty, student, contract/temporary employee or anyone working on behalf of New England Conservatory.

 

Portable Storage Device: a device designed to store any kind of electronic data. This may include, but is not limited to, portable computers, tablets, phones, hard or USB/SD drives or cards.

 

Data Security, Access, Transmission, Transport and Retention

 

Conservatory Network Security:

 

Physical security of Conservatory servers--Servers are kept in a locked room with access limited to the Conservatory IT, Security/Public Safety and Building Operations staff.

 

Conservatory network is secured by up to date and robust virus protection.

 

The Conservatory internal network is secured behind a robust firewall.

 

Remote access is available using a secure encryption protocol.  This service is made available to select and approved administrative positions, only.

 

Conservatory Premises Electronic Access to PII: Finance, Human Resources and IT have defined responsibilities for on-site access of data that may include access to PII; IT has the responsibility for all electronic records and data access capabilities. Finance and Human Resources have the operational responsibility for designating initial access and termination of access for individual users within their organizations and providing timely notice to IT.  The security controls include but are not limited to password protected accounts, network folders/files and services. Termination of an employee, vendor or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PII may reside.

 

NEC representatives must never transmit PII though any type of messaging system (i.e. email, instant messaging, text messages, etc.)

 

Portable Storage Devices: NEC reserves the right to restrict PII data it maintains in the workplace. In the normal course of doing business, NEC does not allow the downloading of PII data to portable computing storage devices.  In the event of an approved need to download PII to a portable computing storage device, such data shall be encrypted and/or utilize acceptable security protection software while such devices are in use on or off Conservatory premises. The IT department has responsibility for maintaining data encryption and data protection standards to protect PII data that resides on these portable storage devices.

 

Off-Site Access to PII: NEC understands that employees may need to access PII while off site and access to such data shall not be prohibited, subject to the provision that the data to be accessed is minimized to the degree possible to meet business needs and that such data shall be accessed only via secured and encrypted access methods and reside only on assigned laptops/approved storage devices that have been secured in advance by the IT department. Any approved remote access to PII shall be through a secured and encrypted method.

 

Conservatory Premises Physical Access to PII: All PII will be maintained in designated locations as determined by the Finance department. Such locations shall in all cases be within a locked room with limited access. The Finance department shall be responsible for control of any keys.

 

Physical hardcopies containing PII – Any transfer of PII to any type of physical media (i.e. saving information to a portable device or hardcopy printing) must be explicitly approved by the Department Head.  In the event a Department Head approved event requires the printing of PII information, the approving Department Head is responsible for ensuring the information is used solely for institutional business, for the physical security of the information at all times and for the secure destruction/shredding of all hardcopies. 

 

Vendors: Individual(s) or companies that have been approved by the Finance department as a recipient of organizational PII and from which the Finance department has received certification of their data protection practices conformance with the requirements of this policy. Vendors include all external providers of services to the Conservatory and include proposed vendors. No PII information can be transmitted to any vendor in any method unless the vendor has been certified for the receipt of such information.

 

Vendors must use secure encryption to transmit files containing PII to/from the Conservatory network.

 

Transport:  When it is necessary for physical hardcopies to be transported from one area of the institution to another the transmitting Department Head is responsible for ensuring the information is used for institutional business, for the physical security of the information at all times and for the secure destruction/shredding of all hardcopies. 

 

PII Retention: NEC understands the importance of minimizing the amount of PII data it maintains and retains such PII only as long as necessary. PII data shall be retained by NEC only in accordance with Conservatory record retention policies [currently under development] and applicable laws.

 

Notification in the Event of a Data Breach

 

Upon becoming aware of a PII data breach, the Conservatory will notify all affected individuals whose data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible.

 

NEC Legal council will handle breach notifications(s) to all governmental agencies and to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by the Human Resources department after consultation with the legal counsel and within the time frame specified under the appropriate law(s).

 

Training and Compliance Review

 

PII Training: All new hires entering the Conservatory who may have access to PII are provided with training by the Human Resources department regarding the provisions of this policy.  Employees in positions with regular ongoing access to PII or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PII data and shall receive annual training regarding the security and protection of PII data and Conservatory proprietary data.

 

PII Compliance Reviews: NEC will conduct periodic reviews of PII information maintained by the Conservatory to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PII information.

 

Regulatory Requirements: It is the policy of the Conservatory to comply with any applicable federal or state statute and reporting regulations. NEC has delegated the responsibility for maintaining PII security provisions to the departments noted in this policy. Legal shall oversee all regulatory reporting compliance issues. If any provision of this policy conflicts with an applicable statutory requirement of federal or state law governing PII, the policy provision(s) that conflict shall be superseded.

 

Confirmation of Confidentiality: All Conservatory representatives must maintain the confidentiality of PII as well as Conservatory proprietary data to which they may have access and understand that that such PII is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this Conservatory requirement.

 

Violations of PII Policies and Procedures: NEC views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under the Conservatory’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in the Conservatory’s PII on-boarding process and annual refresher training to reinforce the Conservatory’s continuing commitment to ensuring that this data is protected by the high standards contained herein.

 

 

 

 

 

 

2016-08-31

 


THERE ARE NOTES BETWEEN NOTES, YOU KNOW. SARAH VAUGHAN