HRS-05.1 Rules of Behavior (Acceptable & Unacceptable Use)

Read the Full Document

Summary- Table of Contents

Quick Takes

  • Do: Use SVC IT resources responsibly, securely, and only for authorized purposes only.
  • Do: Protect sensitive data, including Personally Identifiable Information (PII), at all times.
  • Do: Report lost equipment, suspected security incidents, or policy violations immediately.
  • Do not: bypass security controls, share credentials, or misuse systems.
  • Users with elevated privileges have additional security and oversight responsibilities.

Back to top

1. Purpose

The purpose of the Rules of Behavior is to define acceptable and unacceptable use of SVC-provided IT resources in order to protect institutional systems, data, and users. These rules support compliance with SVC policies and cybersecurity standards and help prevent unauthorized access, data loss, misuse, and security incidents.

Back to top

2. Scope

These rules apply to all users of SVC-provided IT resources, regardless of geographic location. This includes employees, contractors, and others authorized to access SVC systems, data, or networks. The rules cover all SVC-owned or managed systems, devices, networks, and data, including sensitive information and PII.

Back to top

3. Key Policy Requirements

Users are required to:

  • Comply with all SVC policies, standards, and procedures when using IT resources.
  • Protect sensitive information from unauthorized disclosure, modification, or loss.
  • Report lost or stolen equipment, suspected security incidents, or policy violations promptly.
  • Use only authorized, properly licensed, and secure software.
  • Lock or log off systems when unattended and physically secure sensitive information.
  • Complete required security awareness training prior to system access and annually thereafter.
  • Access and use sensitive data only on a need-to-know basis and for approved purposes.

Users are prohibited from:

  • Circumventing security controls or exceeding authorized access.
  • Sharing accounts, passwords, or using another user’s credentials.
  • Storing or transmitting sensitive information without authorization or safeguards.
  • Using SVC IT resources for prohibited, offensive, illegal, commercial, or political activities.
  • Installing unauthorized hardware or software, or modifying systems without approval.
  • Using SVC systems to attack or gain unauthorized access to other systems.

Back to top

4. Roles & Responsibilities

All Users

  • Follow acceptable use requirements and security practices.
  • Protect credentials and sensitive information.
  • Report security incidents, suspicious activity, and policy violations promptly.

Security & Privileged Users (e.g., System, Network, Database Administrators)

  • Advise asset and data owners on cybersecurity matters.
  • Assist with security planning, risk assessments, and documentation.
  • Implement and monitor security controls and audit logging.
  • Verify user training prior to granting system access.
  • Investigate and report security incidents to the Information Security Officer (ISO).
  • Ensure changes affecting contingency or disaster recovery are properly communicated.

Back to top

5. Related Policies & References

6. Authority

All computer systems at Skagit Valley College are state property. Even if you are using your personal device, by connecting to the wifi, to Canvas, or to any other system provided by the College, you are using state property. State law requires everyone who uses state property to follow certain laws. Here is the chain of authority governing the College's IT policies:

Back to top

Print Article