7-3: Information Security

Policy Overview

The purpose of this policy is to provide a set of guidelines for the protection of Santa Fe Community College (SFCC or College) information while maintaining accessibility. Ultimately, the College is committed to protecting sensitive and confidential student information. It is the intent of the College to minimize the risk of incidents and reduce the impact to a manageable level through a combination of technology, standards, enforcement, and awareness.

Scope and Applicability

This policy applies to students, employees, contractors, and third-party entities using the College’s systems and technology, facilities, communications networks, and data. Management at all levels is responsible for ensuring that all employees are aware of, and adhere to, the policy and the principles and the minimum requirements it defines. This policy shall be incorporated into contracts and agreements with outside agencies or entities that relate to any part of the College’s information systems and technology.

Policy Statement

SFCC is committed to the protection of sensitive, personally identifiable information, and other information residing in its systems, protected by federal and state laws. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the College and/or to the campus community that might subject the College to fines or other sanctions. The College shall implement measures to prevent, to promote awareness of, and to mitigate the risks regarding access and use of information.

Definitions

1. Directory Information Information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a student or parent’s prior written consent. What the College considers to be Directory Information is published in the SFCC Catalog annually.
2. End User Any entity, including, but not limited to, staff, faculty, students, SFCC partners, consultants, and vendors, who interact with technology resources and services provided by Santa Fe Community College. See also Poster or User. See also User.
3. Information Systems The collective set of applications, programs, and modules used by the College to store and to process data and information in electronic format usually stored in a database either aggregate or disparate.
4. Office of Information Technology (OIT) The office responsible for implementing, maintaining, and developing information systems and technology at the College.
5. Office of Planning and Institutional Effectiveness (OPIE) The office responsible for reporting the official descriptive and inferential statistics data for the College.
6. Personally Identifiable Information (PII) refers to a set of distinct information that can be used to distinguish or trace an individual excluding information as allowed by the Family Educational Rights and Privacy Act (FERPA). It includes but is not limited to information such as social security numbers, tax identification numbers, health information, birthdate, driver’s license numbers, bank account numbers, health insurance information, maiden name, SFCC A-numbers, or any aggregate student data that is less than 10 individuals.
7. Technology Resources All college technology factilities, services, hardware, software, data storage, computer accounts, networks and bandwidth; and all content and data that comprise college technology.

Policy Process

1. Objectives
   1. Prevent unauthorized disclosure of, or access to, information stored or processed on SFCC systems.
   2. Prevent the accidental or unauthorized deliberate destruction, alteration of deletion of information necessary to operations.
2. Custodianship of Data and Information. The functional departments and divisions are custodians of their respective areas and are responsible for maintaining accurate data and determining the appropriate level of access each employee is granted based on their job description.
   1. The Chief Information Officer and the Office of Information Technology shall be the overall custodian of all electronic records stored on servers and/or enterprise databases.
   2. The Office of Human Resources is the custodian of all employee-related records and documents.
   3. The Financial Services Office is the custodian of all financial records and documents of the College, student financial accounts, and employee payroll records and documents.
   4. The Office of the Vice President for Academic and Student Affairs is the custodian of all student information, including financial aid documents.
3. Classification of Information. Each information, record, document, and/or file, in both electronic and printed format owned and/or in the care of the College, shall be classified as confidential, sensitive, or public.
4. Access to Information. Access to sensitive and personally identifiable information is on an as-needed basis.
   1. An employee’s access to information is governed by their duties, responsibilities, and job assignment.
   2. Access to any student information is governed by Family Educational Rights and Privacy Act (FERPA) and requires approval from the Vice President for Academic and Student Affairs.
   3. Access to any employee information is governed by applicable state and federal laws and requires approval from the Office of Human Resources.
   4. Access to any financial information of the College requires the approval from the Vice President of Finance/Chief Financial Officer.
   5. In the event the College wishes to share personally identifiable information with a non-SFCC entity, a Memorandum of Understanding regarding the purpose, scope, and guidelines for sharing and using of data must be prepared. The MOU must be approved by the Office of Planning and Institutional Effectiveness prior to releasing any personally identifiable information.
5. Transmission and Sharing of Documents and Files. The College shall transmit electronic documents and files in a secure manner using secured file transfer programs and procedures. Under no circumstance shall an email emanating from an SFCC account be sent to a third-party email account (non-SFCC email) transmit personally identifiable information unless a signed and approved MOU is already in place and the transmission of personally identifiable information through email unless it has been approved by the Office of Information Technology. The sender must always work with the Office of Information Technology to determine an alternative way of sending electronic messages or data in a secured manner.
6. Reporting Official Statistics Regarding the College. The Office of Planning and Institutional Effectiveness shall be responsible for reporting the official descriptive and inferential statistics information for the College. Any information reported internally and externally must follow appropriate state and federal laws and regulations protecting personally identifiable information.
7. Exposure of Personally Identifiable Information. The College shall develop and maintain a procedure for handling and managing the exposure of personally identifiable information following applicable state and federal laws.
8. Storage and Disposal of Information.Care must be taken in the transmission, storage, and disposal of information. Each end user should consult with their manager, the College’s record retention policy, and the state records retention policy to identify sensitive personal and financial data.
9. Violations of the Information Security Policy. Security violations are events or actions that are in violation of this policy. The types of activities that may be considered security violations include, but are not limited to, the following based on existing policies and procedures on student conduct in accordance with SFCC Policy 2-1 Student Code of Conduct or employee conduct in accordance with SFCC Policy 4-1 Workplace Ethics and Code of Conduct, whichever is applicable.

Statement of Accountability and Responsibility

The President, through the Chief Information Officer and the Office of Information Technology, shall be responsible for enforcing information security procedures and policies. The Office of Information Technology shall work with the different departments and offices to comply with this policy and develop procedures that will to enforce this policy regarding awareness, prevention, and remediation.

Authority

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

New Mexico Inspection of Public Records Act, NMSA 1978, (Chapter 14, Article 2)

SFCC Policy 2-1 Student Code of Conduct

SFCC Policy 4-1 Workplace Ethics and Code of Conduct

Approval

SFCC Governing Board approved: 3/31/15

Revised and Governing Board approved: 6/22/16

Associated Procedures

• Information Security – Procedures