Policy

This policy sets forth the acceptable uses regarding the access and use of Ramapo College of New Jersey’s (hereafter “RCNJ”) information and information systems, which activities are acceptable and which are not, as well as the consequences of violating this policy.

RCNJ systems and personnel process (receive, store, process, transmit, and alter) a variety of sensitive and non-sensitive (public) information that must be handled in accordance with applicable laws, regulations, and best security practices. This information must be protected from unauthorized access, modification, and destruction, as well as backed up or archived as appropriate for the level of sensitivity and criticality of the information.

All users of the College’s information and technology resources, hereafter “users”, including students, employees, and guests, are expected to take responsibility for helping to maintain the security of the RCNJ computing and network infrastructure. This requires anyone who interacts with Ramapo systems or data, regardless of student or employment status, to practice basic security measures when accessing systems or receiving, storing, or transmitting information owned by RCNJ.

For the purposes of this policy, the term “employee” refers to all individuals who work for Ramapo College in exchange for financial or other compensation, including all part-time and full-time staff, faculty, adjuncts, managers, and student workers.

Reason for Policy

This policy defines acceptable use of RCNJ information systems, technology, and data. All users should be aware that all RCNJ-owned equipment, network infrastructure, and software applications are the property of RCNJ and are to be used for College purposes only. Also, all data residing on RCNJ-owned equipment is also the property of RCNJ and therefore, should be treated as such, and protected from unauthorized access.

To Whom Does the Policy Apply

This policy applies to all users, including students, employees, and guests who interact with College information systems, technology, or data.

This policy also applies to all systems and information owned, managed, or processed by RCNJ and its authorized personnel for academic, business, or support use.

This policy also applies to any external or non-RCNJ information system that interconnects with or exchanges data with RCNJ owned or managed systems.

No one is outright excluded from this policy, but faculty and students may have exemptions or special considerations when it comes to content restrictions, especially in research and instruction. However, they would still be expected to follow policies related to:

• Security (e.g., protecting sensitive data)
• Privacy laws (e.g., FERPA, HIPAA)
• Compliance with institutional regulations (e.g., no harassment, illegal activity, or misuse of resources)

Users cannot use IT resources for activities that violate laws, institutional policies, or ethical standards (e.g., hacking, discrimination, or unauthorized access). The policy is intended to balance academic freedom with responsible use to ensure security and compliance.

Supplemental Resources

This policy is intended to address the requirements of the Gramm-Leach-Bliley Act’s (GLBA) Standards for Safeguarding Customer Information (Safeguards Rule), which requires the establishment of a comprehensive information security program. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and the security controls contained therein are used to support RCNJ’s compliance with this regulation.

Specifically, this policy addresses compliance with the following controls:

• 03.01.02 Access Enforcement
• 03.01.05 Least Privilege
• 03.05.01 User Identification and Authentication
• 03.15.03 Rules of Behavior

Note that this Policy supports all applicable information protection policies, including:

• RCNJ Policy 410: Data Protection (PII)
• RCNJ Policy 411: Cybersecurity
• RCNJ Policy 413: Software, Hardware, and Supporting Devices
• IT Handbook
• RCNJ Policy 414: Use of Artificial Intelligence (AI) in the Workplace
• RCNJ Policy 458: Code of Professional Responsibility

Contacts

Information Technology Services (ITS) 

I. Rules

The following rules have been established to ensure that Ramapo College resources are used effectively, securely, and do not subject the college to any civil or criminal liability. All users of Ramapo information systems, technology, and data agree to the following:

a. All passwords used to access RCNJ systems must be kept secure and protected from unauthorized use.
b. No Ramapo user account can be shared between individuals. Authorized users are responsible for the security of their own passwords and accounts.
c. Transferring personally identifiable information or any information regarding College operations to portable equipment, personal cloud, other personal storage devices, or personal email accounts is prohibited.
d. All computers residing on or connecting to the internal RCNJ network, whether owned by the employee or RCNJ, shall continually execute approved anti-malware software with a current, up-to-date anti-malware signature. These computers must also run approved
anti-virus software with the latest virus definitions and real-time protection enabled at all times.
e. Employees must use extreme caution when opening e-mail attachments or clicking links received from unknown senders.
f. Personally identifiable information cannot be sent to external recipients unless there is an explicit business need, approved by the General Counsel, to do so (such as emailing the State), and should be transferred within the internal network or through secure VPN connections.
g. Off-campus work must be completed via a secure VPN connection so that no data is transferred off-network.
h. All workstations should be kept secure. Users should lock the workstation when not attended to protect unauthorized users from accessing secure files. This also applies to employees working remotely.
i. Users are prohibited from storing sensitive or regulated data (e.g., FERPA-, HIPAA-, or GLBA-protected information) on local computer drives, whether on personal or college-owned devices. Instead, approved secure storage solutions, such as specifically assigned locations on the College’s P and U drives, must be used to ensure compliance with institutional policies and regulatory requirements.
All student information, apart from directory information, on college systems is protected by FERPA and is accessible only to school officials with a legitimate educational interest.
j. All users must respect intellectual property, creativity, and privacy. This includes strict compliance with copyright laws like the Digital Millennium Copyright Act (DMCA) and avoiding plagiarism or unauthorized access to information systems, technology, or data. College systems may not be used to harass, threaten, or impede others, nor to transport illegal or otherwise harmful material.
k. Users are responsible for all activity on their accounts and must secure them with strong, private passwords. Any unauthorized use must be reported immediately to the CIO or system manager.
l. It is the user’s responsibility to back up their personal data, as college system backups are for institutional disaster recovery and are not intended for individual file restoration.
m. Users must comply immediately with any directive from IT staff to cease an activity, which is subject to timely review by the CIO.

II. Prohibited Activities

Under no circumstance is an employee or student of RCNJ authorized to engage in any activity that is illegal under local, State, Federal or international law while utilizing RCNJ-owned resources.
The following activities are prohibited, with no exceptions (the list below is by no means exhaustive, it attempts to provide a framework for activities which fall into the category of unacceptable use):

a. Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by RCNJ.
b. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which RCNJ or the end user does not have an active license.
c. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws. The CIO should be consulted prior to the export of any material that is in question.
d. Introduction of malicious programs into the network or server environments (e.g., viruses, worms, Trojan horses, rootkits, etc.).
e. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
f. Using a RCNJ computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
g. Making fraudulent offers of products, items, or services originating from any RCNJ account.
h. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of the employee’s assigned duties. For purposes of this section, “disruption” includes, but is not limited to: Network sniffing, Pinged floods, Packet spoofing, Denial of service, Forged routing information for malicious purposes
i. Port scanning or security scanning is expressly prohibited unless prior notification to the RCNJ ITS Department is made.
j. Executing any form of network monitoring which will intercept data not intended for the employee’s host unless this activity is a part of the employee’s normal duties.
k. Circumventing user authentication or security of any host, network, or account, including but not limited to the use of keyloggers, credential harvesting, or other methods to capture or bypass authentication credentials.
l. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
m. Using any program, script, or command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet or Intranet.

III. Email Use and Expectations

Ramapo College faculty and staff are provided with email accounts for the purpose of conducting official college business related to instructional, academic and/or administrative activities to accomplish tasks consistent with the college’s mission. Retired tenured faculty and retired staff with at least ten years of service may be permitted to retain a Ramapo email account upon request. For more information, visit www.ramapo.edu/its/it-info-retirees/.

Because email is an effective means to share important, relevant, and timely information, and a vital tool for supporting the academic and administrative needs of the college community, the college policy designates email as the official communication channel with faculty, staff, and students. Only @ramapo.edu email addresses will be used for official communication regarding all academic and administrative matters. For this reason, all faculty, staff, and students are required to maintain an “@ramapo.edu” address. However, although email is the official channel, other methods are used when appropriate.

The following guidelines govern email-related activities:

a. The college reserves the right to monitor all activities on college-owned email accounts to ensure compliance with institutional policies. Users should have no expectation of privacy when using college email, as all communications and activities may be subject to review.
b. As a State institution, the college must comply with Open Public Records Act requirements as it relates to college owned emails.
c. Faculty have the flexibility to determine how electronic communication tools—such as Canvas, Slack, or email—are used within their courses and will specify these requirements in the course syllabus. However, email remains the official channel for all college-wide and administrative communications. Therefore, faculty can assume that students regularly access their official college email accounts and can rely on email for essential course communications. This policy ensures that all students are able to meet email-based requirements set by faculty, while still allowing the use of other platforms to support learning and interaction.
d. Email senders should identify themselves with their title or role at the end of each message. Messages should focus solely on administrative or academic purposes, avoiding unrelated statements or quotes. Language must be respectful. Content and signatures should relate to official college business. Faculty, staff, and students are expected to check their email regularly and promptly, as some communications may be
time-sensitive. Excuses such as not checking email, forwarding errors, or delivery failures (e.g., “Mailbox Full” or “User Unknown”) will not excuse missing official communications.
e. The college reserves the right to set email quotas for faculty, staff, and students. Email destined for users who are over quota is queued for seven days and redelivery is attempted every hour. Quotas can be checked by logging into your personal webmail account. Student accounts that are over quota and have not been checked for 120 days are subject to deactivation.
f. Unit heads and supervisors must provide computer access to employees whose positions do not provide them with regular access to a computer, as well as a reasonable amount of time to use the computer provided for the purpose of checking their email for college business.
g. Users are responsible for safeguarding their data when using College email. Additionally, all employees lose access to their email accounts upon leaving the College and should ensure they save any important personal information beforehand—excluding proprietary, confidential, or personally identifiable information (PII) belonging to the College.

The following email-related activities are forbidden:

a. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (e.g., email spam).
b. Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
c. Unauthorized use, or forging, of email header information.
d. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
e. Creating or forwarding “chain letters,” “Ponzi,” or other “pyramid” schemes of any type.
f. Use of unsolicited email originating from within RCNJ’s networks or other Internet or Intranet service providers on behalf of, or to advertise, any service hosted by RCNJ or connected via RCNJ’s network.

Users of College email services agree to the following conditions:

a. Public postings by employees from an RCNJ email address should contain the following disclaimer stating that the opinions expressed are strictly their own and not necessarily those of RCNJ, unless the posting is part of their official business duties:

“Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of Ramapo College of New Jersey (RCNJ). Employees of RCNJ are expressly required not to make defamatory statements and not to infringe or authorize any infringement of copyright or any other legal right by electronic communications. Any such communication is contrary to RCNJ policy and outside the scope of the employment of the individual concerned. RCNJ will not accept any liability in respect of such communication, and the employee responsible will be personally liable for any damages or other liability arising.”

IV. College Rights and Responsibilities

The college reserves the right to limit access, remove material, or inspect files if it believes college policies, laws, or contracts are being violated. To prevent serious harm or legal liability, IT staff may take immediate restrictive action. Content inspections may require notification to the President and may be reported to the Board of Trustees.

V. Non-Compliance and Sanctions

Violation of this policy and procedure may subject the violator to disciplinary actions, up to or including termination of employment, and may subject the violator to penalties stipulated in applicable State and Federal statutes. Until a determination is made regarding their continued participation in the campus community—whether as an employee, student, guest, or in any other capacity—violators will have their network or system access suspended.

VI. Roles and Responsibilities

The Chief Information Officer is responsible for ensuring implementation and compliance with this policy. The responsibility for implementing and maintaining procedures supporting this policy falls under the RCNJ Information Technology Services.

VII. Exceptions to Policy

Any exceptions to this policy must be documented by RCNJ ITS with the reason for the exception along with mitigations to reduce risk associated with not fully implementing this policy on excepted systems. The RCNJ CIO is the approval authority for exceptions to this policy.

VIII. Version History

Reviews of this policy should be conducted at least annually. This table will be updated whenever this Acceptable Use policy is reviewed or revised.

Version / Revision/Review Date / Authored By / Reviewed/Approved By / Reason

• 1.0 / 2/13/25 / Bobby Rogers (NJ Edge) / – / Initial Procedure Creation
• 1.0 / 2/14/25 / – / Alexia Mavros / – / Reviewed,Revisions Made
• 1.0 / Nov. 2025 / Policy Committee / Brittany Williams-Goldstein /  Reviewed,Revisions Made Following Public Comment