7-3: Information Security – Procedures

Personal Network Drives

SFCC provides personal folders for all students, staff and faculty, which can be accessed on campus.

Student personal drives are accessed via the My Documents folders on all PC’s on campus and can be browsed to on all SFCC owned Mac computers. Currently students are provided with 1.5 GB of space per semester. These folders are deleted the week prior to the next semester. Students are responsible for taking copies of their work with them at the end of the semester.

Staff and Faculty are each given a personal drive. This drive is mapped as the P: drive. On a PC it can be found by clicking on “This PC” or using the File Explorer. Employees are currently allowed up to 5 GB of space. Once an employee reaches this size limit they will no longer be able to add additional files without deleting older files.

Requesting Access to other network shares such as departmental or shared drives.

Access to any other shares, must be approved by the share owner or the departmental supervisor before access will be provided. Access is requested through the OIT ticketing system.  The Ticket should include approval from their supervisor if the request is for a departmental drive or the data owner if the drive is for a non-departmental group. Permissions to drives will not be provided without these approvals.  Once you have been approved and access has been provide you will need to log out of your computer and back in again.

O: Departmental Drives

S: Groups, Clubs, Committees and any other Non-Departmental function.

P: Personal Drives for Staff and Faculty

K,L,M: Reserved for Automated Banner reporting and upload data for Finance, Student and HR.

Password Management

Each student, staff and faculty member are given an SFCC network account. This account grants access to services, such as logging into computers on campus, the student portal, wireless, canvas and an ever increasing number of other services.

Each person is responsible for their account and it is critical that individuals choose a secure password.

Passwords should never be provided to any other students, staff or faculty. No employee of SFCC will request your password and you should not give out your password either in writing or verbally.

If you suspect that your password has been compromised you should change your password immediately and report the issue to the OIT Service Desk at 505-428-1222.

SFCC supports utilizing secure passwords and requires users to change their passwords.

Staff, Faculty, Contractors and any other Users requiring access to the SFCC administrative networks have the following requirements.

• Passwords will expire every 120 days.
• Passwords must contain letters, numbers and special characters.
• Password must be 8 or more characters.
• Password must not match the last 10 passwords

Student accounts passwords must meet the following requirements.

• Passwords will expire every 180 days.
• Passwords must be at least 8 characters.
• Passwords must not match the last 10 passwords.

Changing your password can be done utilizing the following methods.

1. If you have been locked out of your account you may visit the OIT Service Desk for password assistance or call 505-428-1222. You will be required to provide proof of identity.
2. If you know your old password you may Log into a campus PC with your old password and it will ask you to provide a new password.
3. Utilize the change password link available on the MySFCC login page.

If you suspect your account has been compromised.

1. Change your SFCC password immediately.
2. Please alert the OIT Service Desk Immediately by calling 505-428-1222.

Banner Access Permissions

Banner Access is based on job and campus roles. Additional access to Banner will require that those permissions be requested.

In order to request banner access you must fill out the Banner Access Request form. To locate the form log into MySFCC Click on the Employee Tab. Next click on Forms and Guidelines, which is located under Quick Links – Employees.  Then click on Office of Information Technology. The form is called the Banner Access Request.

An employee needing access should work with their supervisor to determine the required access.

The form must be signed by the employee’s supervisor and the data owners.

Here is a list of current data owners and their data areas.

• Purchasing, Payroll, Grants and Business Office – Nick Telles, CFO
• Student Accounts/Student AR – Barbara Sandoval, Cashiering
• Web Time Entry approver – Steve Peralta, Payroll
• Student – Bernadette Gonzales, Registrar
• Financial Aid – Scott Whitaker, Financial Aid Office
• HR – Supervisor and Signed off by Patrick Simpson

Once the form is completed it should be delivered to room 528, OIT Service Desk. The request will then be passed on to the Banner team to provide access.

Not all Banner requests are completed by OIT. Some requests must be made to the data owners directly.

When an employee is terminated Banner permissions will be revoked from their account.

Banner (INB) Password Requirements

• Minimum of 8 characters
• letters and numbers only
• 120 day expiration

Connecting Personal Equipment to the SFCC Network

Students, staff and faculty may bring personal devices on campus. At this time these devices may only be connected to the SFCC Student wireless network. It is named SFCC.

To connect to this network you must select the SFCC network utilizing the appropriate Wireless tool. Next you will need to open up a browser and attempt to visit any web page. The login page will appear and users will be asked to type in their SFCC username and password. All users are required to login to utilize the campus wireless network.

Students, staff and faculty connecting their devices are responsible for ensuring that the latest patches, and antivirus are installed and running correctly. Problematic devices may be blocked from accessing the network. Proof will need to be provided to the SFCC Service Desk that the issue has been resolved through virus removal, computer rebuild, or permanent correction of vulnerability. It is the responsibility of the device owner to make any repairs. OIT staff will not repair personal devices.

Guests may utilize the SFCC guest network only. Students, staff and faculty are discouraged from using this network because it has limited bandwidth per user and does not provide access to on campus resources, such as wireless printing, student file shares and other resources.  Problematic devices will be blocked from future use.

Conference attendees may be granted access to the SFCC event wireless network. Access to this network must be requested in advance of any event through the conference planning center.

SFCC provides VPN access for staff, faculty and contractors upon request. Employees are encouraged to utilize SFCC provided equipment for this purpose. Employees wishing to utilize the VPN on their own personal devices must visit vpn.sfcc.edu and follow the instruction to install the Cisco VPN client. Employees and contractors are responsible for ensuring that their machine is up-to date with Security Patches and has current antivirus/antimalware and a firewall up and running on their machine. Problematic machines will be blocked from using VPN until the employee provides proof they have corrected the issue.

Employees or contractors accessing, manipulating, or downloading Personally Identifiable Information (PII) must utilize an SFCC provided laptop or computer to connect VPN.

Wired network ports accessible for student use are limited to the wireless subnet only. Students are not allowed access to other internal subnets.

Sharing PII

1. Requests to share PII must first be sent to Yash Marimoto in OPIE. Requests should be made in writing to yash.morimoto@sfcc.edu.
2. After a request is received OPIE will review it to ensure that the request is FERPA compliant.
3. OPIE will also determine if the request requires the Institution Review Board to be convened. Most requests will require and IRB review with the exception of recruitment requests from other Colleges and Universities.
4. If the request is approved by the IRB than it will be returned to OPIE.
5. At this time OPIE will review the request and work with the requestor to determine what data is actually required.
6. Next the Memorandum of Understanding (MOU) will be created. This MOU will include the scope of data, how and when data will be destroyed and how it is shared with external institutions.

Procedures for Security Breaches or PII Exposure

ALL SFCC employees are responsible for protecting campus data. Security Breaches can involve stolen or lost computers, stolen or lost usb drives, theft of electronic media, and loss of a paper document or unauthorized use of an SFCC Account. If an employee is not sure that there was a breach it is better to report the incident.

Employees who handle personal information, which includes Social Security numbers, bank account numbers, driver’s license numbers, student identification numbers, birthdates, medical information or any other identifying information must take steps to protect this information by doing the following:

1. Employees must alert their supervisor of any actual or suspected security breaches involving personal information. This may include a lost or stolen computers, exposed paperwork or unauthorized access to an employee account. If employees are unsure it is better to err on the side of caution and report the incident.

2. Take security steps to maintain confidentiality and integrity of personal information, such as,
   1. locking rooms and file cabinets
   2. do not leave paperwork with personal information on desks and open areas
   3. lock computer access automatically
   4. use unique passwords
   5. change passwords often
   6. do not share or document passwords
   7. encrypt personal information when sending via email
   8. shred documents containing personal information
   9. ensure screens are not accessible to other people
   10. avoid leaving laptops, tablets and other devices in autos or unlocked areas.
3. If a data breach has occurred or is suspected the employee or supervisor must report the incident to the CIO. The employee and supervisor should include as much information as possible and should include:
   1. Nature of the breach;
   2. The information that was exposed
   3. To whom it was exposed; and
   4. For how long it was exposed.

The following additional steps should also occur based on the type of breech:

1. If the breach is believed to have occurred on a particular device or system than
   1. Employee (s) should stop using the device or system.
   2. The device or system should be immediately removed from all networks.
   3. The Office of Information Technology will determine the best method to evaluate the potential breach.
2. If the data may have been exposed as a result of a stolen or lost computer:
   1222. Campus security must also be alerted of the device theft or loss. Report the loss by visiting room 101 or by calling 428-1222.
   1223. The Device owner may need to provide detail of the data that may have been exposed.
   1224. Depending on the situation security may contact the police.
3. If the issue may have been a result of unauthorized access to a particular account
   1. The Account should be disabled and passwords changed.
   2. OIT will determine the best method to evaluate the potential breach.

Once a Breach or PII exposure has been confirmed

1. OIT will provide specific details to Executive Committee regarding the breach.
2. The executive committee will determine the best next course depending on the extent of the breach.

Any employee who is aware of a potential breach, but does not report the incident may be subject to discipline in accordance with SFCC policy.

Physical Access to Data Center and IDF Access

Physical Access to Network and Server infrastructure is critical to data security at SFCC. Therefore physical access must be limited to critical employees only.

MDF access will be limited to OIT Directors/CIO/System Administration and Network Administration staff. IDF Access will be limited to CIO, OIT Directors and Network Administration staff where possible. In some cases the space is shared with POM.

Security Staff will not open OIT maintained MDF/IDF doors for any other employees, contractors, or visitors without the express written consent of the CIO/Director of Network and Systems Administration or a Network Administration Staff member. Anyone entering one of these spaces will need to provide identification at the Security Office and sign in and out of the room.

OIT Staff must monitor contractors in IDFs or MDF during any upgrades or maintenance for which they are responsible. For example network cabling must be managed by Network staff.

No IDF doors will be propped open without the presence of an SFCC Network Administration employee.  If a contractor or visitor needs assistance with a door than they will need to arrange an escort from an OIT Network Administration staff person with a key. Data Center, Room 122 doors should remain closed at all times and access to this room should only be with an OIT Network or Systems Administration staff member, OIT director or the CIO.

In spaces where the space is shared with POM or is accessible to other employees, OIT will install and utilize locking cabinets to protect the infrastructure.  At this time several areas are shared have open racks. OIT will attempt to replace these with locking racks by the end of fiscal year 2018.

Food and drink is not allowed in these spaces. Storing of equipment not related to network administration, telephones or system administration is prohibited in all OIT managed IDF and MDF rooms.

Access to a Current or Former Employee’s Email or Files

On occasion access to an existing employee’s email or personal files may be required while a person is out with an illness or on vacation and the person can’t be reached to provide access.  Departments should make every attempt to plan ahead and the employee should delegate access to email or move files to shared folders. However, on occasion emergencies may occur that require additional access. Every attempt should be made to limit the request to only the required access. OIT Staff will attempt to utilize archiving tools to find only relevant documents. In order to do so access requests must be made to the CIO and must include the following:

1. Approval of Executive Director of Human Resources.
2. Specific details of the type of access, file names and dates is required.

Upon approval of the CIO, OIT Systems Administration staff will then provide the requested access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the following:

1. The ability to delete email or files.
2. The ability to send email as the person unless permission is granted by the individual.
3. Direct Access to the employee’s personal folder.

Access to Email or Files for Litigation Purposes

1. Requests from legal counsel must be made in writing to the Executive Director of Human Resources or designee.
2. Request must identify the email addresses or usernames of individuals, any relevant keywords and the start and end dates of the searches. Contact information for the requesting legal counsel should also be included.
3. The Executive Director or designee will forward the request to the CIO or designee with approval.
4. OIT Systems administration staff will complete relevant searches within the current archival technologies in use on campus.
5. If required the OIT systems administration employee may contact the requestor for clarification of the search parameters.
6. In the event that changes to the original search method need to be clarified or adjusted OIT will notify the CIO, Executive Director of HR and the requestor of the changes.
7. OIT staff will then provide access to the files to the Executive Director of HR for review within 2 working days of receiving the approved search request.
8. If the Executive Director feels that additional changes are required than the request should be returned to the CIO or designee with the requested corrections.
9. Upon final approval the Executive Director of HR or designee will provide the files to the requestor.

Accessing a Former Employee’s Email or Files

OIT keeps former employee accounts, mailboxes and network files are kept in their original state for no less than 6 months. However, accounts are disabled, the account is hidden and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email within this time frame.

After 6 months accounts may be deleted from email, active directory and other systems. OIT does maintain an archive of individual mail and calendaring items for 5 years however they are no longer connected to a user account. OIT also maintains a former employee’s personal drive in archive for 5 years.

The supervisor of the former employee may request that OIT forward email to another employee and request an auto response to alert external and internal senders of the departure. This should be done in writing through the OIT ticketing system and should include the following:

1. Request must come from the former employee’s supervisor.
2. The former employee’s name and A#.
3. The forwarding email address requested.
4. The language of the requested auto reply message.

The supervisor of the former employee also may request that OIT grant temporary access to the mailbox through Outlook for the purpose of transferring old email. This should be done in writing through the OIT ticketing system and should include the following:

1. Request must come from the former employee’s supervisor.
2. The former employee’s name and A#.
3. The name and A# of the person requiring access.
4. A description of the access required.

Access will not include the following:

1. The ability to send email as the former employee.
2. The ability to delete email or files.

The supervisor of the former employee may also request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should be done in writing through the OIT ticketing system and should include the following:

1. Request must come from the former employee’s supervisor.
2. Former employees name and A#.
3. Location of current files.

OIT staff may contact HR to ensure that the documents are being handled correctly.

View Policy