2.10.5.1 Individual Responsibility
All users of College technology resources or data must take reasonable precautions against threats to information security, whether using College or non-College systems, networks, or applications.
Individuals must take reasonable precautions to ensure the security of any computers and mobile devices or other systems, software, or services they use to access College systems, networks, or data, whether such systems are managed by the College, personally owned, or belonging to others. This includes but is not limited to complying with all College policies, standards, and procedures, and promptly installing security updates, mitigating vulnerabilities, and maintaining appropriate security protections.
2.10.5.2 Security Classification
The College’s IT Security Classification Standard establishes classification levels for data, user accounts, and other IT Resources to inform security decisions and support other policies and standards. Among other terms, it defines data classifications used below: sensitive, internal, and public.
The College may require varying security protections for data, user accounts, and other IT Resources based on their security classification and other factors.
2.10.5.3 Authentication
Passwords and other authentication methods used for College user accounts must meet the Passwords and Authentication Standard.
2.10.5.4 Computer and Mobile Device Security
All computers and mobile devices, including non-College devices, used to log into College systems, services, or apps or data must:
- Comply with the College’s Computer and Mobile Device Security Standard
- Comply with the College’s Data Encryption Standard
- Run only operating systems and other software that are currently supported, meaning that effective security updates are promptly made available by the manufacturer when vulnerabilities are discovered. Security updates must be applied within 30 days of release, preferably 14 days.
Systems not meeting these requirements are prohibited from being connected to College networks or being used to log into College systems or access, process, or store non-public College data unless explicitly authorized by the CIO or their designee.
2.10.5.5 Encryption
All sensitive data, as defined by the IT Security Classification Standard, that is stored outside facilities sufficiently secured against unauthorized access must be encrypted according to the College’s Data Encryption Standard. This includes, but is not limited to, data on laptop and workstation drives, mobile devices, and portable data storage devices, such as external hard drives and thumb drives.
All sensitive data sent over networks outside of physically secured locations must be encrypted according to the College’s Data Encryption Standard.
2.10.5.6 Scanning and Attack Simulations
Only those individuals explicitly authorized to do so by the CIO or their designee may scan College systems, networks, or other systems connected to College networks for security vulnerabilities or perform penetration tests or other attack simulations.
Last Updated: January 22, 2026