7-1: Information Technology Resources, Usage and Security

Policy Overview

Santa Fe Community College (SFCC or College) provides information technology resources to fulfill its mission and academic freedom. This policy established guidelines to protect the confidentiality, availability, and integrity of SFCC’s information technology resources based on relevant laws and regulations. The policy also establishes appropriate security requirements and restrictions on accessing and using SFCC’s information technology resources.

Scope and Applicability

All users of SFCC information technology resources are subject to this policy. This policy applies to all information technology resources, and any devices connected to information technology resources, whether through a wired, wireless or remote connection.

Policy Statement

  1. SFCC is committed to the effective, efficient, ethical, and lawful use of its information technology resources to meet its mission, vision, and objectives.
  2. SFCC supports the use of technology for the open exchange of information and ideas in accordance with established policies on academic freedom (see Policy 3-14 Academic Freedom).
  3. All users are responsible for using information technology resources with awareness of and compliance with security, privacy, policies, and internal processes and controls (see Policy 2-1 Student Code of Conduct, Policy 4-1 Workplace Ethics and Code of Conduct).
  4. SFCC is dedicated to the protection of the rights of copyright holders and complies with all copyright laws including the Digital Millennium Copyright Act and the Higher Education Opportunity Act (Policy 3-16: Copyrights and Intellectual Property).
  5. SFCC is committed to the protection of privacy and confidential data under the Family Educational and Privacy Rights Act (FERPA), the Gramm-Leach-Bliley ACT(GLBA) Safeguards Rule, and in accordance with other appropriate laws.
  6. Information technology security is intended to protect access and usage, therefore SFCC will limit risks through a combination technology, procedures, enforcement, assessment, and awareness to minimize the risk of security incidents.


  1. Account Owner An individual who has been assigned the privilege and the responsibility for access to any SFCC information technology resource.
  2. Authorized Access Permission based on college role to access SFCC information technology resources.
  3. Confidential Data Information that should be protected from unauthorized access or release and may include, but is not limited to Personally Identifiable Information (PII), or other proprietary college information or data. PII refers to a set of distinct information that can be used to distinguish or trace an individual excluding information as allowed by the Family Educational Rights and Privacy Act (FERPA). It includes but is not limited to information such as social security numbers, tax identification numbers, health information, birthdate, driver’s license numbers, bank account numbers, health insurance information, maiden name, or SFCC A-numbers, or any aggregate student data that is less than 10 individuals. Directory information is excluded from PII unless a student has requested the Registrar’s Office not to disclose their information.
  4. Data Steward A data steward is an individual responsible for specific data in a database or system, such as Banner. The data steward is responsible for data integrity and is also responsible for authorizing access to data, records, and information.
  5. Guest A member of the general public who is not a registered student, employee, or sponsored visitor, and who may access information technology resources intended for public use.
  6. Information Technology Resources All contracted or owned SFCC technology facilities, services, hardware, software, data storage, computer accounts, networks, and bandwidth; and all content and data (information) that comprise such technology.
  7. Malicious Network Traffic Any program, software, files or activity that is damaging or detrimental to information technology resources; including but not limited to malware, worms, spam, Trojan horses, spyware, or unauthorized monitoring or logging.
  8. Security Breach Any activity that leads to the damage or unauthorized access of an information technology resource.
  9. Separation from the College Including but not limited to resignation, termination, retirement, or loss of student status.
  10. Shared Accounts Accounts with multiple users that are intended for campus activities or departmental needs.
  11. Sponsored Visitor Consultants, vendors, or others who have been authorized by SFCC for temporary access to relevant information technology resources.
  12. System Owner An individual with operational, technical and overall responsibility for all aspects of a particular information technology system.
  13. User Any entity, including, but not limited to staff, faculty, students, consultants, and vendors, who interact with technology resources and services provided by Santa Fe Community College. See also End User. See also Poster or User.

Policy Process

  1. Information Technology Resource Access
    1. Authorized access is governed by each user’s duties, roles and responsibilities, and requires the approval of a chair, director or above and may also require the approval of the system owner or data steward.
    2. User accounts and user access rights and privileges are intended for use by the account owner and must not be shared, transferred or used by others.
    3. Requests for shared accounts must include a valid educational, technological or business need and must be approved by the Office of Information Technology (OIT).
    4. Upon separation form the College, accounts will be disabled and authorized access will be removed. Business-related data including Personal Identifiable Information and email may be transferred to the supervisor upon request and approval from the appropriate Vice President or Executive Director.
    5. Violation of this policy may result in disciplinary action up to and including revocation or suspension of technology usage privileges and/or any other disciplinary action according to relevant SFCC policies, the College will report any activity that appears to violate any local, state, or federal law to the appropriate authorities.
  2. Security
    1. OIT establishes and enforces security standards for all information technology resources. Resources containing confidential data shall require additional security measures.
    2. OIT reviews all technology related software, equipment requests, and purchases to ensure equipment meets security standards and equipment guidelines as outlined in Policy 7-2: Technology Equipment Renewal and Replacement.
    3. OIT reviews all software application, whether hosted on campus or by a third party, that are intended to store or process confidential data, prior to purchase and implementation.
    4. OIT evaluates all applications developed on campus to ensure they meet campus security standards.
    5. OIT may filter malicious network traffic including inbound, outbound and internal.
    6. OIT has the right to limit access or quarantine any device that does not meet basic security standards to ensure the security of information technology resources.
    7. OIT will implement password and authentication standards following industry best practices.
    8. SFCC data centers and network closets will be secured at all times, with entry limited to authorized users.
  3. Privacy and Monitoring
    1. While respecting user privacy and academic freedom to the fullest extent possible, SFCC reserves the right to monitor and examine any network traffic or data for the following purposes which include, but are not limited to:
      1. Enforcing policies against discrimination, harassment and threats to the safety of individuals (policy 4-9 Discrimination and Harassment and Policy 4-10 Sexual Harassment);
      2. Protecting against or limiting damage to information technology  resources
      3. complying with a court order, subpoena or other legally enforceable discovery request (Policy 8-6 Public Information/Notices and News Media Contacts);
      4. Upgrading or maintaining information technology resources;
      5. In response to a notification, investigating and preventing the posting of proprietary software or electronic copies of texts, data, media or images in potential violation of copyright, licenses or other contractual and legal obligations or in violation of law.
      6. Issues outlined, in Policy 4-4 Fraud, Waste and Abuse.
    2. OIT employees and individuals authorized by OIT, are the only groups allowed to utilize monitoring and log capturing tools to examine traffic on information technology resources.

Statement of Accountability and Responsibility

The President, through the Chief Information Officer and the Office of Information Technology (OIT), in consultation with appropriate SFCC departments, shall have the authority and responsibility for developing, implementing, managing, securing, administering, and maintaining information technology resources. OIT will develop procedures for this policy and will work closely with SFCC departments to enforce compliance with this policy.


H.R.4137, the Higher Education Opportunity Act
7 U.S. Code § 512 Digital Millennium Copyright Act
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

Gramm-Leach-Bliley ACT(GLBA) Safeguards Rule

SFCC Policy 2-1 Student Code of Conduct
SFCC Policy 3-14 Academic Freedom
SFCC Policy 3-16 Copyrights and intellectual Property
SFCC Policy 4-1 Workplace Ethics and Code of Conduct
SFCC Policy 4-4 Fraud, Waste and Abuse
SFCC Policy 4-9 Discrimination and Harassment
SFCC Policy 4-10 Sexual Harassment
SFCC Policy 7-2 Technology Equipment Renewal and Replacement
SFCC Policy 7-4 Electronic Mail
SFCC Policy 8-6 Public Information/Notices and News Media Contacts


SFCC Governing Board approved: 1/28/2014
Revised and Governing Board approved: 6/28/2016
Revised and Governing Board approved: 5/27/2020

Associated Procedures