Policy Number: CS-1502-2002
Policy Title: Acceptable Employee Use of IT Resources Policy
Policy Owner: Chief Information Officer
Effective Date:
Last Revised:
On this page:
- Purpose
- Application and Scope
- Definitions
- Principles
- Accountability and Compliance
- Roles and Responsibilities
- Rules
- Policy Revision Date
- Attachments
- Specific Links
1. Purpose
The purpose of this policy is to provide College employees with guidance on acceptable and unacceptable use of the College’s Information Technology (IT) resources. Computing, networking, telephony, and information resources of Mohawk College are available to advance our education, teaching, research, and administration service missions. Any access and use of these resources and services that interfere with these goals are prohibited.
All who access and use these resources will abide by this policy, all applicable policies, legal and contractual requirements, and the highest standard of ethical principles and practices, when using these College resources.
2. Application and Scope
This policy applies to all employees, contractors, consultants, volunteers, researchers, or other workers including College community members that use any component of the College’s computing, networking, telephony and information technology resources regardless of the physical location or device used. This policy excludes students, except where students are employed by, or on a work placement with, the College.
3. Definitions
“Authenticate” refers to the process of logging onto an IT resource by validating a user’s identity. This is typically completed by providing a username and then validating that username by providing something you know such as a password, something you have such as a card, or by providing something you are – such as a biometric piece of information (fingerprint, retina scan, palm, etc.).
“Electronic Notification” means notification made by the College by electronic means including but not limited to email using Microsoft (MS) Outlook, messaging through MS Teams, or the College Portal (MyMohawk).
“IT Infrastructure” refers to software, hardware, devices, mobile devices, networks, server systems, data storage, data centres, related equipment, and cloud-based technologies.
“IT resources” refers to any IT Infrastructure component that can be interacted with and used by users such as a computer, application, website, mobile phone, data, removable hardware etc.
“Manager” refers to a person who has charge over a workplace or authority over a worker, including, Managers, Directors, Associate Deans, Deans, Registrar, Chiefs, Vice Presidents and President.
“Sensitive Information” as defined in the College’s Information Governance and Security Policy is information that should not be shared and may include restricted, confidential, or personally identifiable information or documents which may be marked as “Internal Use Only.”
“System Administration” refers to the act of system upkeep, configuration, and reliable operations of an information technology system and can only be completed by having administrative access to a system to make changes.
“Untrusted Software” refers to software that does not come directly from the source of a reputable company that sells or distributes that software or software that is obtained from a third-party source or illegally downloaded.
“User(s)” includes any person that uses or operates an IT resource.
“VPN” stands for Virtual Private Network and is a software application that creates a secure encrypted tunnel between a remote computer and the College campus. Using this technology ensures that data communications are kept secure.
4. Principles
This policy is based on five key principles:
Ethics, Values and Fairness
Exercise common decency, good judgement, and respect for the College community members and property.
Preserve the integrity and availability of systems and services and ensuring that actions taken by College community members do not negatively affect College IT resources.
Protect and safeguard College IT infrastructure and information.
Use of IT resources adheres to all legal, regulatory and College policy requirements.
Access to IT resources is uninterrupted and accessible when needed
5. Accountability and Compliance
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
5.2 Compliance
The Chief Information Officer in cooperation with the Director of Information Security and the Chief Marketing Officer and other relevant departments will enforce compliance with this policy through multiple means including but not limited to monitoring, reporting, observation, and audit.
6. Roles and Responsibilities
6.1 Chief Information Officer
The Chief Information Officer is accountable for the security of all IT resources.
6.2 Director, Information Security
The Director of Information Security is responsible for the security of all IT resources and communicating IT Security Policies to employees.
6.3 Chief Marketing Officer
The Chief Marketing Officer is responsible for the College’s public-facing and internal websites and champions compliance with College’s policies.
6.4 Manager, Web & Content Optimization
The Manager, Web & Content Optimization is responsible for overseeing the College’s web properties, creation of websites, website branding, and oversees website management and maintenance.
6.5 Web Steering Committee
The Web Steering Committee is responsible for ensuring Mohawk College’s external website(s) are supported, for issues related to content, policy, accessibility, and connectivity for all web pages hosted on the Mohawk College network.
6.6 Managers
Managers are responsible for:
- communicating IT security policies and procedures to employees;
- complying with all IT policies and procedures;
- ensuring that IT resources are procured in compliance with the IT Asset Management Policy and configured and maintained in compliance with all IT Policies.
- working collaboratively with Information Technology and IT Security Services to secure resources.
- ensuring completion of any mandatory IT training.
6.7 Individual Users of IT Resources
All users of IT resources are responsible for protecting the confidentiality, integrity, and availability of our information and systems in accordance with this policy and completing all assigned training.
All authorized users of Mohawk College affiliated webpages are responsible for the content and maintenance of their own websites(s), webpages, webforms, uploaded assets (documents/files), or MyMohawk applets and must follow the procedures outlined in Appendix C.
7. Rules
7.1 Authorized Use
All users of Mohawk College IT resources must use those resources to carry out the functions for which they were authorized, specifically:
- Access to IT resources shall only be provided to active employees, contractors, consultants, temporary, part-time, or other workers in compliance with Mohawk College’s IT User Account Life Cycle Policy. Visitors may be provided access to limited resources such as open guest Wi-Fi, or authenticated guest Wi-fi when registered through Eduroam eVA, or when registered with the IT Service Desk.
- Use of IT resources must align with the appropriate Academic, Support, Research, or Administrative intentions for which they are provided.
- Access to and use of IT resources is limited to those which the user is authorized to use.
- Employees must always authenticate using the College provided account which was assigned specifically to them to access IT resources and should not use any other user account other than their own when accessing IT resources unless an exception has been granted by IT Security.
- The use of generative artificial intelligence including imagery, video, and text must be carefully reviewed by qualified resources to ensure that output is correct, ethical, non-discriminatory, aligned to college business and not influenced by bias.
- All users responsible for the content and maintenance of Mohawk College webpages, webforms, uploaded assets or MyMohawk applets, etc, must take the mandatory training(s) provided, comply with all College web guidelines and policies, and the rules and procedures outlined in this policy. See Appendix C for web posting procedures. All users who send out internal electronic communications whether college-wide or to a large group of recipients, on behalf of the college must follow the rules and procedures outlined within this policy and in Appendix C
- All users who send out external electronic communications on behalf of the college must follow the rules and procedures outlined within this policy and in Appendix C, and follow Canada’s Anti-Spam Legislation (CASL). For questions related to CASL, please contact myconsent [at] mohawkcollege.ca (myconsent[at]mohawkcollege[dot]ca).
- Employees must return all IT resources at the end of employment or when their role changes including but not limited to desktops, laptops, tablets, removable media, and mobile devices.
7.2 Personal Use
Occasional personal use of IT resources is permitted in accordance with the following. Users:
- Must not use IT resources in a way that interferes with employment duties.
- Must not create any monetary cost to the College.
- Must keep browsing limited to trusted, reputable websites.
- Must not threaten the security or availability of IT resources.
Although the College permits occasional personal use of its IT resources, the College reserves the right to restrict occasional incidental personal use of IT resources at any time and as the College sees fit and is not responsible for personal data stored on College resources.
7.3 Prohibited Use
All users of Mohawk College IT resources are strictly prohibited from:
- Using IT resources for any political, religious, or commercial activity, or, for conducting any personal business in which they would receive personal or financial gain unless they have received permission from the Conflict of Interest Committee in accordance with the Conflict of Interest Policy.
- Using IT resources in a way that interferes with employment duties, or, creates any monetary cost to the College.
- Exporting software from the College for resale or distribution.
- Exporting any sensitive information or intellectual property of the College or business partners without the appropriate consent or contractual agreements.
- Accessing, creating, or enabling hyperlinks to discriminatory, defamatory, bullying, harassing, offensive, pornographic, or obscene content.
- Collecting information via webforms that is classified as Restricted or Restricted-Health by the College’s Information Governance and Security Policy.
- Performing Information Technology System Administration from a personally owned device.
- Deliberately circumventing or attempting to circumvent data protection and system access controls.
7.4 Security
Users of IT resources must not knowingly place the security of information or systems at risk. At all times, Users must:
- Set a strong password that at minimum complies with Appendix B of this policy.
- Comply with the Information Security and Data Classification Policy at all times regarding collecting, classifying, labelling, securing, storing, using, copying, transferring, and disposing of information.
- Users have a duty to ensure that their web publishing and electronic notification practices do not adversely affect others or expose sensitive information, including personally identifiable information to inadvertent disclosure, theft, or loss
- Never upload sensitive information to publicly available artificial intelligence solutions where the College has not explicitly authorized the use of that tool for sensitive information.
- Keep your passwords and pin codes secure and never share them with any individual.
- Contact the IT Service Desk immediately in the event of an IT security incident, see Appendix A for procedure.
- Take precaution prior to opening any attachment or clicking on links within electronic messages.
- Store all work on central College servers or authorized cloud services to ensure that sensitive, confidential and personal information is protected and that work is backed up regularly.
- Never use personal e-mail accounts to conduct College business.
- Only upload sensitive information to cloud services which are approved by IT and have been subject to a risk assessment in compliance with Mohawk College’s IT Asset Management Policy and are present on Information Technologies Application Inventory. Contact the IT Service Desk to confirm the application is approved before use.
- Comply with the College’s Local Administrators Policy and never install untrusted software or applications on IT infrastructure or resources.
- Always use the College provided VPN when performing work remotely.
- Ensure that personally owned devices that may come in contact with IT resources are protected with antivirus software, a personal firewall, and regularly install security updates and patches to operating systems, applications, and web browsers.
No individual shall knowingly breach, compromise, endanger or threaten the College’s IT resources, attempt to do so, or allow others to do so. This includes probing, scanning, assessing, penetrating or affecting the availability of College IT resources. Users must report any misuse of IT resources to the IT Service Desk, or to the Chief Information Officer. Failure to report misuse may result in the assumption that the User who witnessed the misuse was party to the act.
Mohawk College reserves the right and responsibility to protect the College and community members from security threats and inappropriate use of IT infrastructure and resources by taking actions, including but not limited to:
- Quarantining your device and resetting your account password immediately and without your awareness or consent.
- Monitoring computers, mobile devices, systems, networks, services, accounts, web activity, and user activity.
- Denying a user the right to access IT resources at any time the College deems necessary.
7.5 Compliance
Use of the College’s IT resources is subject to, and must comply with, all applicable laws and College policies and procedures, including this policy. Use of IT resources must at all times be responsible, ethical, and lawful. Non-compliance with applicable laws and regulations may result in civil liability or criminal prosecution. The College reserves the right to restrict or deny access to its IT resources, to monitor your use of those resources and to take actions it deems necessary or appropriate to protect College IT resources. By using the College’s IT resources, Users are confirming agreement with this policy.
In addition to the above, Users of IT resources must also comply with:
- Applicable collective agreements, terms and conditions of employment and the code of conduct policy;
- Copyright Laws including, but not limited to, the sharing of pirated software, audio, and video.
- Licensing agreements; and
- Any other agreements between the College and an external service provider.
7.6 Noncompliance
Noncompliance with this policy may result in any one or combination of the following sanctions:
- Verbal warnings;
- Written warnings;
- Restricted access to, or complete withdrawal of access to IT resources;
- Suspension from work;
- Termination;
- Recovery of costs due to damages or fees; and/or
- Criminal or civil action.
8. Policy Revision Date
8.1 Revision Date
February 2030
8.2 Responsibility
The Chief Information Officer will review this policy every five years or earlier where required.
9. Attachments
10. Specific Links
- CS-1306-1979 Conflict of Interest Policy
- CS-1321-2024 Employee Code of Conduct Policy
- CS-1317-2012 Respectful Workplace (Anti-Harassment and Anti-Discrimination) Policy
- CS-1503-2007 Wireless and Cellular Technology Policy
- GC-4100-2013 Intellectual Property and Commercialization Principles Policy
- CS-1508-2020 Information Governance and Security Policy
- GC-4101-2013 Copyright Policy
- GC-4200-2013 Social Media Policy
- CS-1509-2021 IT User Account Life Cycle Policy
- CS-1511-2021 Requirements for Encryption Policy
- SS-3300-1978 Corporate Brand Adherence Policy
- Academic Collective Agreement
- Support Staff Collective Agreement
- Terms and Conditions of Employment for Administrative Staff
- Mohawk College Strategic Plan
- Privacy and Legal Statements
- Copyright Act
- Employee Departure Checklist
- Canada’s Anti-Spam Legislation
Appendix A: Reporting an IT Security Incident
What is an IT Security Incident?
An IT is an incident that may affect the confidentiality, integrity or availability of the College’s IT infrastructure through unauthorized access, accidental disclosure, or other, including:
- The presence of any form of malicious software (malware, viruses, worms, etc.).
- The presence of any abnormal software that was not previously present on a computer or server.
- Suspicion that your user account has been compromised.
- Intentional or accidental exposure of sensitive information.
- Web browsers re-directing automatically or producing popup messages or advertisements unexpectedly.
- File types, formats, or naming conventions changing unexpectedly or files not opening as expected.
- Slow computer performance, applications hanging, or any unexpected behaviour.
- Notifications that anti-virus or firewalls are not running or are disabled.
- Clicking a link, opening an attachment, or providing credentials in response to a suspicious e-mail.
- Lost or stolen devices including but not limited to laptops, mobile phones, desktop computers, portable storage devices, switches, etc.
Reporting an IT Security Incident
- Disconnect the network cable from the computer and/or disable Wi-Fi.
- Do not power off the computer.
- Contact the Mohawk College IT Service Desk immediately by phone if you believe you are experiencing an IT Security incident regardless of your location.
- Phone: 905-575-1212 ext. 2199
- Inform your immediate manager of the current status.
- Make notes about the IT incident to make sure that you can provide clear and accurate information to IT staff.
- When making notes, consider the following:
- What happened?
- What websites have I visited recently?
- Have I received any suspicious e-mails that were actioned recently?
- When did it happen? (specifically at what time)
- Where did it happen (Physical Location and Network Location (ex: Wireless)?
- Who was involved?
- Could there be sensitive, personal or confidential information at risk?
- What happened?
- When making notes, consider the following:
Appendix B: Secure Password Requirements
All users must set passwords of high quality to protect their accounts from compromise following the requirements below.
Passwords Must:
- Be a minimum of eight characters in length;
- Not be the same as the last six passwords used;
- Use three of the following four character classes:
- Lower Case Letters;
- Upper Case Letters;
- Numbers;
- Symbols;
- Be free of multiple consecutive characters or numbers;
- Not be based on something that could be easily guessed or a dictionary word;
- Not be the same as passwords used for personal accounts.
In addition to the rules above, passwords must be reset if they are ever shared or exposed. Information Technology will immediately reset any password should it be suspected to be compromised.
Appendix C: Web Posting and Electronic Notifications Procedure
P1. Roles and Responsibilities
P1.1 Web Steering Committee
The Web Steering Committee is responsible for ensuring Mohawk College’s external website(s) are supported, for issues related to content, policy, accessibility, and connectivity for all web pages hosted on the Mohawk College network with guidance and support of the Marketing Web Team.
P1.2 Authorized Users of Mohawk College Affiliated Webpages
Each academic or administrative department or unit is responsible for the content and maintenance of its own website(s), webpages, webforms, uploaded assets (documents/files), or MyMohawk applets, and for complying with established College web guidelines. Maintenance in this connection means keeping existing content current, adding new content when necessary, deleting obsolete content, making corrections and ensuring AODA compliance. Responsibilities also include:
Ensuring that all requested updates are reviewed, acknowledged, and approved before the request is submitted.
The data collection/maintenance/clearing of their webforms.
Assigning a Primary Contact and their Backup that will represent their respective Department/Channel/Business Unit for submission of any website change or update.
Ensuring that authorized users are aware of and agree to College Policies and Procedures and that they are adhered to before the request and submission to publish can occur.
Ensuring that websites, pages, and platforms are secured and comply with the College’s Patch and Vulnerability Management Policy.
P1.3 Owners of Other Mohawk College-affiliated Webpages
Any member of a project, group, organization or other unit that has a website affiliated with the College is responsible for the content and maintenance of its own website, and for complying with the established College web and other policies, while utilizing guidelines/tools and appropriate support from the Web Team where applicable.
P1.4 Individual Users
All authorized users are responsible to comply with the Procedures as outlined in this policy when submitting a request to post or publish to either the external or internal websites.
P2. Procedures to Request a Change to the External Corporate Website; mohawkcollege.ca and / or Internal Mohawk College Portal (MyMohawk)
Each Department/Business Unit, as directed by the Web Steering Committee, will assign a Primary representative that will be the single point of contact when submitting requests for revisions to the web.
All request submissions must be written and submitted, with prior approval from the respective. SLT and/or approved designate, via the web platform Optimizely:
All proposed revisions or updates to the external website and / or MyMohawk must be submitted by the applicable representative as previously identified. Any request being submitted by any other contact, other than the designated represented via email or otherwise, for the purpose of revising, updating, or adding to the content of the existing external website, without the approval of their manager or above, will not be actioned.
P3. Procedures for Sending and / or Submitting Requests for Internal and External Email Communications
- Requests for email communications to employees, faculty, students and external audiences as well as insertion in the Inside Mohawk newsletter, should be sent to the Communications team through the Communications Request Form which is located on MyMohawk. in the Integrated Communications – Employee Toolkit.
Requests for employee only communications via Inside Mohawk or announcement emails, can also be requested by sending content to announcementrequests [at] mohawkcollege.ca (announcementrequests[at]mohawkcollege[dot]ca)
Requests for insertion in the Weekly Student Newsletter should be sent through the Email / Eblast / Student Newsletter request form in Optimizely.
Any department within the college deploying their own email communications to external audiences on behalf of the college must align with Canada’s Anti-Spam Legislation (CASL). These audiences include, but are not limited to: prospective students, current students, alumni, partners and employers.
P4. Request for non-Mohawk College Staff to Access/Edit/Administer External Mohawk College Websites, Webpages, Forms
Access to MyMohawk, webforms, mohawkcollege.ca will not be permitted for non-Mohawk College staff.
If external access is requested for non-Mohawk College staff (contracted professionals) for Wordpress sites, they must complete the required details via the Contractor Access Request Form in Optimizely.