7-1: Active Information Technology Resources, Usage and Security

Policy Overview

Santa Fe Community College (SFCC or College) provides information technology resources to fulfill its mission and support academic freedom. This policy establishes guidelines to protect the confidentiality, availability, and integrity of SFCC’s information technology resources based on relevant laws and regulations. The policy also establishes appropriate security requirements and restrictions on accessing and using SFCC’s information technology resources.

Scope and Applicability

All users of SFCC information technology resources are subject to this policy. This policy applies to all information technology resources, and any devices connected to information technology resources, whether through a wired, wireless or remote connection.

Policy Statement

SFCC is committed to the effective, efficient, ethical, and lawful use of its information technology resources to meet its mission, vision, and objectives.

Definitions

1. Account Owner An individual who has been assigned the privilege and the responsibility for access to any SFCC information technology resource.
2. Authorized Access Permission based on college role to access SFCC information technology resources.
3. Confidential Data Information that should be protected from unauthorized access or release and may include, but is not limited to Personally Identifiable Information (PII), or other proprietary college information or data. PII refers to a set of distinct information that can be used to distinguish or trace an individual excluding information as allowed by the Family Educational Rights and Privacy Act (FERPA). It includes but is not limited to information such as social security numbers, tax identification numbers, health information, birthdate, driver’s license numbers, bank account numbers, health insurance information, maiden name, or SFCC A-numbers, or any aggregate student data that is less than 10 individuals. Directory information is excluded from PII unless a student has requested the Registrar’s Office not to disclose their information.
4. Data Steward A data steward is an individual responsible for specific data in a database or system, such as Banner. The data steward is responsible for data integrity and is also responsible for authorizing access to data, records, and information.
5. Guest A member of the general public who is not a registered student, employee, or sponsored visitor, and who may access information technology resources intended for public use.
6. Information Technology Resources refers to all contracted or owned SFCC technology facilities, services, subscriptions, hardware, software, data storage, accounts, networks, bandwidth, and all content and data (information) that comprise such technology.
7. Malicious Network Traffic Any program, software, files or activity that is damaging or detrimental to information technology resources; including but not limited to malware, worms, spam, Trojan horses, spyware, or unauthorized monitoring or logging.
8. Security Breach Any activity that leads to the damage or unauthorized access of an information technology resource.
9. Separation from the College Including but not limited to resignation, termination, retirement, or loss of student status.
10. Shared Accounts Accounts with multiple users that are intended for campus activities or departmental needs.
11. Sponsored Visitor Consultants, vendors, or others who have been authorized by SFCC for temporary access to relevant information technology resources.
12. System Owner An individual with operational, technical and overall responsibility for all aspects of a particular information technology system.
13. User is any person including, but not limited to students, employees, guests, volunteers, contractors, consultants, and vendors who interact with SFCC’s technology resources and services.

Policy Process

1. SFCC supports the use of technology for the open exchange of information and ideas in accordance with established policies on academic freedom (SFCC Policy 3-14 Academic Freedom).
2. All users are responsible for using information technology resources with awareness of and compliance with security, privacy, policies and internal processes and controls (SFCC Policy 2-1 Student Code of Conduct, SFCC Policy 4-1 Workplace Ethics and Code of Conduct).
3. SFCC is dedicated to the protection of the rights of copyright holders and complies with all copyright laws including the Digital Millennium Copyright Act and the Higher Education Opportunity Act (SFCC Policy 3-16 Copyrights and Intellectual Property).
4. SFCC is committed to the protection of privacy and confidential data under the Family Educational and Privacy Rights Act (FERPA) and in accordance with other appropriate laws.
5. Information technology security is intended to protect access and usage, therefore SFCC will limit risks through a combination of technology, procedures, enforcement, assessment, and awareness to minimize the risk of security incidents.
6. Information Technology Resource Access
   1. Authorized access is governed by each user’s duties, roles and responsibilities, and requires the approval of a chair, director or above and may also require the approval of the system owner or data steward.
   2. User accounts and user access rights and privileges are intended for use by the account owner and must not be shared, transferred or used by others.
   3. Requests for shared accounts must include a valid educational, technological or business need and must be approved by the Office of Information Technology.
   4. Upon separation from the College, accounts will be disabled and authorized access will be removed. Business-related data including Personal Identifiable Information and email may be transferred to the supervisor upon request and approval from the appropriate Vice President or Executive Director.
   5. Violation of this policy may result in disciplinary action up to and including revocation or suspension of technology usage privileges and/or any other disciplinary action (SFCC Policy 2-2 Corrective Action and Disciplinary Action, SFCC Policy 4-2 Corrective Action and Disciplinary Action). If required by law or according to relevant SFCC policies, the College will report any activity that appears to violate any local, state, or federal law to the appropriate authorities.
7. Security.The Office of Information Technology:
   6. Establishes and enforces security standards for all information technology resources. Resources containing confidential data shall require additional security measures.
   7. Reviews all technology related software, equipment requests, and purchases to ensure equipment meets security standards and equipment guidelines (SFCC Policy 7-2 Technology Equipment Renewal and Replacement).
   8. Reviews all software applications, whether hosted on campus or by a third party, that are intended to store or process confidential data, prior to purchase and implementation.
   9. Evaluates all applications developed on campus to ensure they meet campus security standards.
   10. May filter malicious network traffic including inbound, outbound and internal.
   11. Has the right to limit access or quarantine any device that does not meet basic security standards to ensure the security of information technology resources.
   12. Will implement password and authentication standards following industry best practices.
   13. Will secure at all times data centers and network closets, with entry limited to authorized users.
8. Privacy and Monitoring
   14. While respecting user privacy and academic freedom to the fullest extent possible, SFCC reserves the right to monitor and examine any network traffic or data for the following purposes which include, but are not limited to:
       1. Enforcing policies against discrimination, harassment and threats to the safety of individuals (SFCC Policy 4-9 Discrimination and Harassment, SFCC Policy 4-10 Sexual Harassment);
       2. Protecting against or limiting damage to information technology resources;
       3. Complying with a court order, subpoena or other legally enforceable discovery request (SFCC Policy 8-3 Inspection of Public Records, SFCC Policy 8-6 Public Information/Notices and News Media Contacts);
       4. Upgrading or maintaining information technology resources;
       5. In response to a notification, investigating and preventing the posting of proprietary software or electronic copies of texts, data, media or images in potential violation of copyright, licenses or other contractual and legal obligations or in violation of law.
       6. Issues outlined, in SFCC Policy 4-4 Fraud, Waste and Abuse.
   15. The Office of Information Technology employees and individuals authorized by the Office of Information Technology are the only groups allowed to utilize monitoring and log capturing tools to examine traffic on information technology resources.

Statement of Accountability and Responsibility

The President, through the Chief Information Officer and the Office of Information Technology, shall be responsible for enforcing technology policies and procedures. The Office of Information Technology shall work with the different departments and offices to comply with this policy and to develop procedures regarding awareness, prevention and remediation.

Authority

H.R.4137, the Higher Education Opportunity Act
7 U.S. Code § 512 Digital Millennium Copyright Act
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
Gramm-Leach-Bliley ACT(GLBA) Safeguards Rule
SFCC Policy 2-1 Student Code of Conduct
SFCC Policy 2-2 Corrective Action and Disciplinary Action
SFCC Policy 3-14 Academic Freedom
SFCC Policy 3-16 Copyrights and intellectual Property
SFCC Policy 4-1 Workplace Ethics and Code of Conduct
SFCC Policy 4-2 Corrective Action and Disciplinary Action
SFCC Policy 4-4 Fraud, Waste and Abuse
SFCC Policy 4-9 Discrimination and Harassment
SFCC Policy 4-10 Sexual Harassment
SFCC Policy 7-2 Technology Equipment Renewal and Replacement
SFCC Policy 7-4 Electronic Mail
SFCC Policy 8-3 Inspection of Public Records
SFCC Policy 8-6 Public Information/Notices and News Media Contacts

Approval

SFCC Governing Board approved: 1/28/2014
Revised and Governing Board approved: 6/28/2016
Revised and Governing Board approved: 5/27/2020

Edited by Policy Officer: 10/30/2020

Associated Procedures

• Information Technology Resources, Usage and Security – Procedures
• Incident Response Procedure