The general use of this TOS is on the point and appropriate. I would love to see, as someone in the field of Cybersecurity, there be a clause to protect those exploring field-related tools to be allowed access to possibly isolated networks where Virtual Machines can live and allow for exploration there. We have been able to work with the IT department in the past but at highly restricted levels - no NAT allowed, for example, which severely limits these tools, like VMs, to the point where they hardly function.

I would like more clarification on the final sentence in the definition of D. Incidental Personal Use. Could you clarify what "This does not include external personal business transactions." actually means? For instance, can I use my school laptop to make a purchase on Amazon? If you look at 4.c.2.a-c it looks as though making an online purchase is permitted, which seems to conflict with the last sentence of definition D.

Section B2k, when combined with Sections M1-4, makes it challenging to protect personal and sensitive information during work hours because we use a college device or its network. While I understand that OIT's changes are intended to enhance security, they can feel restrictive from a regular user's perspective. For example, the implementation of Admin By Request significantly limits a user's control over their device.

Item 2a may be problematic in that one could accidentally violate this policy by attempting to open a link to a restricted file. In this case, if you were navigating SharePoint and clicked on a restricted file, you could violate this policy as written without malicious intent.
2. Users must not:
a. access or attempt to access any restricted resource or private data owned by the college or another user without express permission;

As it is currently written, 4.H.1. means, in a literal sense, (a) that all college business must be conducted through email or (b) (if read more narrowly to apply only to “college computing resources”) that email is the only computing resource that can be used for college business. It would be a violation of policy, therefore, to conduct business using RingCentral, SharePoint, Zoom, most apps within the Microsoft Office suite, etc.

I would hope, of course, that a reasonable person would not read the policy this broadly, but I raise this point anyway to emphasize the importance of explicitly tailoring the policy to its intended scope. An example of more narrow wording might be “Any college business that is conducted by email must use the college’s enterprise email system.” In fact, it appears that the intent may have been to limit “college business” specifically to “Institutional Business Email Communications,” since that term was defined in Section 3.E. but never used elsewhere in the policy. Section 4.H.1. could, therefore, be revised to simply read, “Institutional business email communications must use the college’s enterprise email system.”

F.3
3. When off campus, especially on public or unsecured networks, users must use the college-provided VPN to access college resources.

Not all users have access to a SLCC-provided VPN. AllAccess or other means should also be authorized. This rule would prohibit the use of Canvas, SharePoint, Teams, Email, and other software while off campus. As written, it would apply to students who don't have VPN access.

[F.3] It would also prevent many of us from doing things like grading papers from home or even teaching online courses from our home offices.

1. Policy Statement

A. General Comment-This policy needs to more clearly state that it applies to faculty, staff, and students. As drafted, its application to students seems to be an afterthought. Are students going to look at this policy? There is little in the Code of Student Rights and Responsibilities regarding guidance or restrictions on how students use computers.
Bottom line: Students are not going to know that this policy applies to them. This policy needs to be better integrated with the Code of Student Rights and Responsibilities.

B. General Comment-Similar to our comments in the Code of Student Rights and Responsibilities policy, the inclusion of Artificial Intelligence provisions, while necessary, is an elusive problem. Both this policy and that policy do not provide clear guidance as to what is and what is not allowed. Despite robust committee discussion on this topic, we don’t have concrete suggestions to provide clarity to employees or students on acceptable and unacceptable uses of AI. In addition, if SLCC is too specific with AI policy provisions, our concern is that these specific provisions will be outdated in three to six months given rapid changes with AI. The committee sees the potential for significant inconsistency across the college regarding authorized and unauthorized AI use. For example, one academic department may state use of AI does not constitute cheating, while the same usage will be allowed in another department.

C. General Comment-Many of the updates to the policy are good and the policy has been improved. Since all employees use college issued laptops, this is an important policy.

2. Procedures
A. Section 4.B.1.d -Consider including a link to allow persons to report theft or misuse of computers to Public Safety or OIT.
B. Section 4.B.2-discusses access to restricted materials. Committee members expressed concern that they have unintentionally or accidentally accessed restricted materials as they were searching on Banner or Canvas for unrelated information. For example, you can access all of Canvas with the password. Another example is that sometimes you can access Board of Trustee information through SharePoint. Given that we share so much information at the college, this is a problem. Concern was expressed that this accidental access would result in corrective action. Can we create better firewalls so employees or students cannot access this restricted information?
C. Section 4.C.2-The committee had an extensive discussion regarding the “substantial personal gain” element for computer usage not considered to be incidental use. Some examples in the committee’s discussion addressing this concern were as follows:
1. Some faculty use their college-issued laptops to provide private tutoring lessons to students for which they are paid. There may be several Zoom lessons over the course of a semester for which they are paid $300 or $400. Does that violate this provision?
2. Some college faculty are paid to provide a virtual deposition as an expert witness in litigation. They provide their Zoom deposition on their college computer and are paid $500 or $1,000 for this service. Does this violate section 4.C.2?
3. Some college faculty conduct research and author articles on their laptop. In some cases, they are paid to write and publish this article. Does this violate section 4.C.2?
4. Besides being a vague term, “substantial personal profit” depends on who is profiting from the use of the computer. For example, a Vice President who earns $100 using his or her computer may not have a substantial personal gain; however, for an adjunct faculty member, a $100 earning may constitute substantial personal gain.
5. Make sure that this incidental use section is consistent with similar provisions in the Employee Conduct policy and Intellectual Property Policy.
D. Section 4.C.3- is new and seems to infringe upon an employee’s right without giving him or her the opportunity to be heard. While the college should be able to restrict access to a user accessing a pornographic webpage, this section, as drafted, is too broad.
E. Section 4.H.1- discusses the use of the email system. Consider rewording the sentence to state, “The college’s enterprise email system must be used to conduct college business” or words to this effect.
1. Does this section include Canvas messages?
F. Section 4.J-Use of Social Media
1. The social media section is not very robust. Consider adding more guidance or rules.
2. Should this section distinguish between an individual’s social media account and an institutional or college-wide social media account?
3. Should there be approval for college-wide social media programs?
4. How is this section being enforced and who is enforcing it?
5. Is “Linked In” considered social media? Is it subject to this section?
G. Section 4.L-Artificial Intelligence
1. There was concern that this section was more informational and did not belong in a policy setting forth rules. For example, do we need 4.L3 in the policy which states “AI systems’ training data and algorithms can perpetuate biases. . .”
2. In section 4.L.4, is there a need to reference the Code of Student Rights and Responsibilities?
3. Section 4.L.5 seems like an onerous responsibility to place on faculty and staff. Isn’t most everything thing done on work computers have potential transmission “across the college?”
H. Section 4.N-Enforcement
1. Who has the responsibility to enforce this policies’ provisions?