Crest for Policies

Policy J8
Policy Name: Devices Connected to the OCC Computer Systems and Communications Networks
Responsibility for Maintenance: Information Technology

Date of most recent changes: June 19, 2015

I. Policy Statement  

Devices connected to the OCC computer systems and communications networks must have adequate controls, security, and maintenance to protect the College, its computer systems and communications networks. Devices connected to the OCC computer systems and communications networks must meet the security standards outlined in the policy. OCC does not provide technical support for the use of personal owned devices, equipment or software.

II. Reason for Policy  

The College's ability to conduct its business is dependent on reliable and secure access to its computer systems and communications networks. The OCC computer systems and communications networks and may be jeopardized by computers/workstations, servers, and other devices that are not adequately maintained or protected from virus, Trojan, worm and other malicious attacks.

III. Applicability of the Policy  

This policy applies to all devices connected to the OCC computer systems and communications networks.

IV. Contacts  

Subject   Office Name   Title or Position   Telephone Number   Email/URL  
Entire policy Information Technology Director of Enterprise Infrastructure (315)-498-2497 k.slade@sunyocc.edu  

V. Definitions  

Term   Definition  
Device A Device can be a computer/workstation, laptop, server, printer, mobile device, or any other instrument capable of connecting to and interacting with the OCC computer systems and communications networks and/or other devices on the computer systems and communications networks.
Principal User A Principal User is an individual who is the primary user of, or the individual or group responsible for the administration of a device.
Compromised Device For the purposes of this policy, a device is considered compromised once it has been substantiated:
1. That its security is breached and that unauthorized processes or user(s) have access to and are able to control its data and/or resources; 

2. That it has been configured in a way that could threaten, harm, or interfere with the operation, integrity, or network access of other devices; or 
3. That it is actively being used to threaten, harm, or interfere with the operation, integrity, or network access of other devices.

4. Does not meet the security standards outlined in this policy.  

Vulnerable Device A Device is considered vulnerable once it has been substantiated that known actions necessary to prevent it from being compromised have not been taken - despite those actions having been recommended by the Office of the CIO or by entities charged by the CIO to secure the OCC computer systems and communications networks.
Connected Device A Device is considered connected to the OCC computer systems and communications networks when it is attached:
1. To a trusted port (not requiring authentication for its use) on the network;
2. To a port in the Residence Halls;
3. To an open Ethernet port (requiring authentication to a firewall for its use) on the network;
4. To a wireless access point (requiring authentication for its use) on the network;
5. Through an ISP via a VPN (virtual private network) session;
6. Via connections established at institutions affiliated with the College, such as Onondaga County offices; or
7. By any means that enables its access to the College network.
Server Any computer that delivers information and software to other computers linked by a network.

VI. Procedures  

Connecting a Device to the College Network: A Principal User who connects a Device to the OCC computer systems and communications networks is responsible for assuring the Device is properly secured and protected against compromise. Specifically, any Device connected to the OCC computer systems and communications networks must (when applicable):

  1. If a Server, be housed and maintained in OCC’s IT computer room, or have received approval from IT for an alternate arrangement.
  2. Have an authorized static IP address or be appropriately registered for DHCP;
  3. Be configured to run a supported version of an operating system for which patches for newly identified security breaches are developed and distributed in a timely manner;
  4. Be configured in such a way that known vulnerabilities - such as open FTP ports and open relays - are eliminated or minimized;
  5. Be maintained in such a way that patches which close known security breaches are applied as soon as they become available;
  6. Have antivirus software installed on it that runs continuously and is updated regularly;
  7. Be scanned and determined to be free of viruses and other known compromises that may have been introduced to its operating environment;
  8. Be used for appropriate purposes related to the educational and research mission of the College or to the conduct of its legitimate business activities; and
  9. The ID and password allowing the highest level of administrative access to a server must be escrowed with IT. That is, procedures for access to the administration ID/Password for a server must be made available to IT’s Network Computing management in the event of problems or emergency.

Security Standards for Mobile Devices Connected to the OCC Network:

  1. Have a non-trivial pass code with a minimum required length of four characters.
  2. If a mobile device is lost or stolen, the Helpdesk should be contacted at 498-2999 to facilitate network password changes or other security measures to prevent loss of College data.
  3. Have an inactivity timeout to automatically lock the device after a maximum of 10 minutes.

Violations: Any Principal User who violates this or other OCC policies, procedures, contractual obligations, or applicable state or federal laws, will be subject to appropriate disciplinary and legal action, including, but not limited to, the limitation or denial of access to OCC’s computer systems and communications networks. Violators may also be subject to disciplinary action, up to and including termination.

Any device to be connected to the campus network requires the knowledge and authorization of the Information Technology department. OCC does not provide technical support of personal owned device, equipment and/or software. Unprotected or corrupted devices may cause outages and compatibility issues with the OCC computing environment.

OCC reserves the right to revoke access to computer systems and communications networks for devices that fail to meet the security standards in this policy or may be considered vulnerable or compromised.  The authorized use of Onondaga Community College’s computer systems and communications networks by student, faculty, staff, and authorized visitors shall be consistent with this Policy.


Approved by the President June 29, 2009

Updated and approved by the President April 14, 2014

Updated and approved by the President June 19, 2015