7-1: Information Technology Resources, Usage and Security – Procedures

Network Drives

Accounts, Authentication, and Password Management (Includes Preferred Name)

Banner Workday Access Permissions and Requests

Microsoft 365 and Azure

Connecting Personal Equipment to SFCC Networks

Security Breaches or Personally Identifiable Information Exposure

Security Awareness Training

Physical Access to Data Center and IDF Access

Accessing a Former Employee’s Email or Files

  1. Network Drives
    1. SFCC provides various shared folders accessible on campus for all students, faculty, and staff.
    2. Employees are responsible for storing their important files on these drives, where the data is backed up and archived for retrieval in the event of data loss.
    3. Student personal drives are accessed via the My Documents folders on all PCs on campus and can be browsed to on all SFCC-owned Mac computers. Currently, students are provided with 2 GB of space per semester. These folders are deleted approximately the week prior to the next semester. Students are responsible for making copies of their work prior to the end of the semester.
    4. Faculty and staff are each provided a personal drive. This drive is mapped as the P: drive. On a PC it can be found by clicking on “This PC” or using the File Explorer. Employees are currently allowed up to 5 GB of space. Once an employee reaches this size limit, they will no longer be able to add additional files without deleting older files. Staff are responsible for storing their files on a server.
    5. Requesting access to other network shares such as departmental or shared drives:
      1. Access to any other shared drives must be approved by the shareowner or the supervisor before access will be provided and submitted through the Information Technology ticketing system. The ticket should include approval from the requestor’s supervisor if the request is for a departmental drive or the data owner if the drive is for a non-departmental group. Permissions to drives will not be provided without these approvals. Once access has been approved and provided, you will need to log out of your computer and back in again.
      2. These are the drives:
        • O: Departmental Drives
        • S: Groups, Clubs, Committees and any other Non-Departmental function.
        • P: Personal Drives for Faculty and Staff
        • H, K, L, M: Reserved for System Processes.
  2. Accounts, Authentication, and Password Management
    1. Every student, faculty, and staff member is provided an SFCC network account and an email address. This account is required to log in to SFCC-owned devices, MySFCC, course registration, wireless, email, and more.
    2. Student accounts will be created approximately two hours after being admitted to the College.
    3. Each person is responsible for their account and any activities which occur under their account.
    4. Each person is required to choose a secure password and to protect that password.
    5. Passwords and access should never be shared with anyone else. No employee of SFCC will request your password and you should not give out your password either in writing, on a website, or verbally.
    6. Do not write your password down anywhere.
    7. If you suspect that your password has been compromised, change your password immediately, and report the issue to the Office of Information Technology Service Desk at 505-428-1222.
    8. Staff, faculty, contractors, and any sponsored guests requiring access to the administrative networks have the following requirements:
      1. Passwords must contain letters, numbers, and special characters.
      2. Password must be 17 or more characters.
      3. Password must not match the last 10 passwords.
      4. Minimum password age of one day.
      5. Accounts will lock out for 15 minutes after five bad password attempts
      6. Password must be changed annually.
      7. Multi-Factor Authentication is required for Office 365 and Workday.
      8. Multi-Factor Authentication will be implemented for new systems containing confidential and sensitive information. Existing systems will migrate
      9. Single Sign-On will be required for third-party software to increase ease of use and limit use of multiple accounts.
    9. Student account passwords must meet the following requirements:
      1. Passwords must be at least 12 characters
      2. Passwords must not match the previous 10 passwords.
      3. Must contain at least three of the following: Uppercase letter, lower case letter, number, and a special character.
      4. Accounts will lock out for 15 minutes after 10 bad password attempts
      5. Passwords will expire every 180 days.
    10. Change your password using any of these methods:
      1. Use the change password reset link on the MySFCC login page.
      2. If you have been locked out of your account, go to the Office of Information Technology Service Desk for password assistance or call 505-428-1222. You will be required to provide proof of identity.
      3. If you know your old password, log in to a campus PC: Click ctl-alt-del and choose Change password.
    11. If you suspect your account has been compromised:
      1. Change your password immediately.
      2. Alert the Office of Information Technology Service Desk immediately by calling 505-428-1222.
    12. Legal Name Changes
      1. Account Names are created automatically and are based on a person’s legal name. Legal name changes may be requested in the Registrar’s office for students or the Office of Human Resources for Employees.
      2. Upon proof of a legal name change, the Office of Information Technology will assist in updating the name for all relevant accounts.
      3. If you wish to be known by a different name than your chosen name than you may ask to have your chosen name added to your banner account in the Office of Human Resources. The Office of Information Technology will then add this name in parentheses to your display name in the Active Directory and the email address book. It will not change your email address or username.
      4. All other name changes require the written approval of the Chief Information Officer, executive-level supervisor, and the Chief Human Resources Officer.
    13. Preferred Names
      1. SFCC recognizes that some students, faculty, and staff prefer to use names other than the legal first names to identify themselves. In this process, preferred names only refer to a first name. You must provide legal proof to the Registrar’s Office or the Office of Human Resources to change your last name.
        1. If you request a preferred name, you agree that the name is the name you wish to be called.
        2. Your preferred name must follow all SFCC policies and procedures.
        3. At this time, preferred name only refers to a first name.
      2. SFCC reserves the right to reject your preferred name for the following reasons:
        1. Contains vulgar or offensive language,
        2. Creates confusion, and/or
        3. Is intended as a misrepresentation.
      3. While you may update your preferred name within Banner and Workday multiple times, because of the manual effort the Office of Information Technology will only update your username and email address once per academic year.
      4. To enter a preferred name students should follow these steps:
        1. Log into
        2. Click on the Student Records/Services
        3. Click on Personal Information.
        4. Select Edit on the upper right of Personal Details.
        5. Type in your selected Preferred Name.
        6. Click Save.
        7. It may take several hours for changes to process through our systems.
      5. Employees should follow these steps: 
        1. Log in
        2. Click on the Workday application link and follow the prompts to log in.
        3. Type Preferred Name in search and choose the link to Change my Preferred Name.
        4. Uncheck the Use Legal Name As Preferred Name
        5. Type your Preferred First Name into the First Name field and click Submit. (We do not process any field except the first name field, although you will be offered many.)
        6. Your request will be submitted to the Office of Human Resources for approval.
        7. Upon approval, it may take several hours for changes to take place.
      6. The following technologies will display a preferred name:
        1. Microsoft 365 including email, Teams, etc.
        2. Canvas
        3. SFCC Connect – Faculty and staff only
        4. Course Rosters. We have two types of course rosters. Preferred Name will be in Parentheses on one roster and as a separate column in the other.
        5. My SFCC Portal
        6. Workday – Employees only at this time.
      7. Additional changes upon request:
        1. Your email address and username can be changed to match your preferred name.
          1. Submit a ticket with the Office of Information Technology
          2. This has an impact on authentication to all SFCC services so avoid requesting when you have tests or timely work.
          3. Your password will not change.
          4. Previous email addresses will continue to function.
          5. Due to the amount of work we ask that you limit these requests to one per year.
        2. You may request a Student and Employee ID card with your preferred name.
          1. Your preferred name will be on the Front and the Legal name on the back.
          2. Call or visit the Welcome and Advising Center to update your ID Card.
      8. While SFCC would like preferred name to be provided consistently across all technology some legacy applications do not currently display preferred names; these include:
        1. SFCC Alert/Rave – emergency alerts.
        2. Anthology course evaluations.
        3. Maxient – Student behavior
        4. Course Schedule.
      9. In many instances, SFCC must use your legal name. These include, but are not limited to:
        1. Official and Unofficial Transcripts
        2. Diplomas
        3. Banner Admin Pages
        4. 1098 T
        5. Scholarship and Financial Aid documents
        6. Student billing – Touchnet
        7. Human Resource documents such as background checks, tax documents, and benefits enrollment.
    14. Account Termination
      1. Upon separation from the College, full-time faculty and staff accounts will be disabled immediately. This includes the Active Directory, email, and Banner. Employees wishing to maintain access for a student account will be issued a new account.
      2. Adjunct faculty accounts will remain active for three semesters beyond their last completed semester.
      3. Student accounts are kept active for six semesters after graduation or the last completed course. Students who want their account to be terminated earlier should contact the Service Desk at 505-428-1222 or visit room 528.
  3. Banner and Workday Access Permissions and Requests
    1. Banner
      1. Banner Access is based on job and campus roles. Additional permissions to access other Banner sections or modules must be requested.
      2. To request Banner access, you must fill out the Banner Access Request form. To locate the form, log in to MySFCC.
      3. An employee who needs access should work with their supervisor to determine the required access.
      4. The form must be signed by the employee’s supervisor and the data stewards. Here is a list of current data stewards and their data areas:
        • Purchasing, Payroll, Grants, and Business Office: Nick Telles, Vice President of Finance/Chief Financial Officer
        • Student Accounts/Student Accounts Receivable: Barbara Sandoval, Cashier’s Office Manager
        • Web Time Entry approval: Amy Pell, Controller
        • Students: Bernadette Gonzales, Registrar
        • Financial Aid: Kelly Durbin, Director of Financial Aid
        • Human Resources: Donna Castro, Chief Human Resources Officer.
      5. Once the form is completed, scan it, and submit a ticket or deliver it to the Office of Information Technology Service Desk, East Wing, Room 528. The request will be forwarded to the Banner team to provide access.
      6. When an employee is separated from the College, all Banner permissions will be revoked from their account.
    2. Workday
      1. Supervisors should submit a request for role-based access to the Office of Information Technology Service Desk.
      2. The Office of Information Technology Service Desk will pass the request on to CHESS personnel for review.
      3. CHESS will request and document approvals from the information owner.
      4. CHESS personnel will configure access and alert the user.
  4. Microsoft 365 and Azure
    1. Microsoft 365 is a cloud-based subscription services which allows SFCC to provide access to a variety of Microsoft applications. These include Outlook, One Drive, Office Online, Office ProPlus, and more.
    2. Current students, faculty, and staff are provided access to Microsoft 365. Not all features are available to everyone. New offerings may be rolled out to select groups prior to implementation for the entire campus.
    3. Microsoft 365 users are expected to follow all SFCC policies and those of Microsoft Office 365.
    4. Microsoft 365 Training. Microsoft maintains a variety of Office 365 Training Videos at this site:
    5. Outlook Email. See SFCC Policy 7-4 Electronic Mail for more information about Outlook and Office 365 Exchange Email.
    6. Office 365 Apps for Enterprise Installation.
      1. Office Pro Plus is a version of Office that is available through the Office 365 platform.
      2. Currently enrolled credit course students, faculty, and staff have access to this feature. Eligible users may download and install Office Pro Plus on up to five supported devices. Supported devices include those with Windows OS, Mac OS, IOS devices, and most android devices.
      3. Mac OS and IOS use the app store to install Microsoft Apps.
      4. Visit and click on Install Apps.
    7. Multi-Factor Authentication (MFA)
      1. SFCC Employees are required to use MFA in the following tools:
        1. Microsoft 365 Apps
        2. Global VPN
        3. Workday
      2. Users are encouraged to install the Microsoft authenticator application for MFA.
      3. Users with elevated privileges, such as IT employees, are required to use the authenticator application.
      4. SMS is also an option for MFA.
      5. New software applications storing any of the following: educational records as defined by FERPA, financial information, SSN or other confidential information will be required to function with Azure MFA or have an MFA product included.
    8. OneDrive.
      1. OneDrive is cloud storage provided for the storage of files and information related to SFCC and is a convenient way to have access to your documents from anywhere.
      2. One Drive is available to all students, faculty, and staff and includes 1 TB of storage space.
      3. OneDrive is installed on all campus Windows 10 PCs. To access it:
        1. Click on the Windows Start Icon and type OneDrive in the search bar.
        2. Enter your SFCC username:
        3. If you are asked to choose a personal or Work/School account, choose Work/School.
        4. Type in your SFCC username and password to log in and begin using One Drive.
        5. OneDrive is also available for installation on many mobile devices. Visit your app store and search for One Drive. You will be required to log in with your SFCC username and password.
    9. Office Online. Office Online is a set of online tools including Word, Excel, PowerPoint, and One Note which may be used in a web browser.
      1. All students, faculty, and staff are granted access to Office Online.
      2. Files created, saved, and edited through Office Online are stored within OneDrive.
      3. To access Office Online log into MySFCC and click on the Office 365 Icon.
    10. Microsoft TEAMS. Teams is a chat, file sharing, and collaboration tool that brings services such as Skype, One Drive, and Office Online into one platform.
      1. Teams Administration.
        1. Teams are monitored and governed by the Office of Information Technology.
        2. The Office of Information Technology does not create or manage Teams.
        3. The creator is considered the owner of a team.
        4. The owner is responsible for:
          1. Following the naming convention below,
          2. Creating sub-teams,
          3. Assigning user permissions,
          4. Removing user permissions,
          5. Transferring ownership in the event they are terminating, and
          6. Ensuring information stored within the team conforms with all College policies.
      2. Naming Convention. Those creating Teams should use the following naming convention:
        1. Make sure the name includes a department, committee, or project name.
        2. Add “_TEAMS” to the end of your team name.
        3. Names must follow all appropriate SFCC policies and procedures.
        4. Be aware that if your names are too close to the names of an email distribution list it may cause confusion. Adding “_TEAMS” will help avoid confusion.
        5. The Office of Information Technology may correct names to clear up confusion or naming conflicts. Team owners may also correct or edit team names.
      3. Team Cleanup.
        1. Teams will be automatically audited to ensure they are still in use.
        2. Any team that is inactive for one year will be deleted. Owners will receive warning emails 30 and 15 days prior to deletion.
        3. Any deleted team will be recoverable by the owner for 30 days.
      4. Accessing Teams. Teams may be accessed in several ways:
        1. Log into MySFCC and click on the Office 365 Icon.
        2. Choose Teams from the application options.
        3. You may also request the installation of the Teams application on your SFCC computer through the Office of Information Technology Self-Service Icon.
        4. Teams Applications are also available for installation on many mobile devices. Visit your App store and search for Microsoft Teams. You will be required to log in with your SFCC username and password.
      5. Data Storage, Backups, and Archiving of Teams, and other Microsoft 365 tools.
        1. Microsoft 365 Backups are help for one year and include Teams, SharePoint, One Drive, and Email.
        2. Microsoft Archives are held for 12 years and includes Email, Groups, Public Folders, OneDrive and SharePoint.
        3. Deleted teams or content will be recoverable for 30 days.
        4. Owners must be aware of the data retention rules related to their documents and store them appropriately.
  5. Connecting Personal Equipment to the SFCC Network
    1. Students, faculty, and staff may bring personal devices on campus. These devices may only be connected to the guest wi-fi.
    2. Connect SFCC Wi-Fi Setup in your Wi-Fi Network.
    3. Open a browser and it will take you to wireless network.
    4. Select Guest.
    5. Accept the agreement.
    6. To connect to this network:
      1. Select the SFCC network using the appropriate wireless tool,
      2. Open a browser and attempt to visit any web page,
      3. The login page will appear.
      4. Type in your SFCC username and password.
    7. Students, faculty, and staff who connect their devices are responsible for ensuring that the latest patches and antivirus software are installed and running correctly. The device must have a current OS. Problematic devices may be blocked from accessing the network. Proof that the issue has been resolved through virus removal, computer rebuild, or permanent correction of vulnerability must be provided to the SFCC Service Desk. It is the responsibility of the device owner to make any repairs. Office of Information Technology staff will not repair personal devices.
    8. Guests may only use the SFCC Guest network. Conferences may request custom access to their event through the Conference Services Office.
    9. Students, faculty, and staff are discouraged from using the Guest network because it has limited bandwidth per user and does not provide access to on-campus resources, such as wireless printing, student file shares, and other resources. Problematic devices will be blocked from future use.
    10. SFCC provides Virtual Private Network (VPN) access for faculty, staff, and contractors(upon request and approval).
      1. Employees or contractors accessing, manipulating, or downloading Personally Identifiable Information (PII) must use an SFCC-provided laptop or computer to connect to the VPN.
      2. Employees are encouraged to use SFCC-provided equipment for this purpose.
      3. Employees wishing to use the VPN on their own personal devices must visit and follow the instructions to install the Global Protect Client.
      4. Employees and contractors are responsible for ensuring that their machine is up to date with security patches and has current antivirus/anti-malware and a firewall up and running on their machine.
      5. Problematic machines will be blocked from using VPN until the employee provides proof they have corrected the issue.
  6. Security Breaches & Personally Identifiable Information Exposure
    1. ALL SFCC employees are responsible for protecting campus data.
    2. Security breaches can involve stolen or lost computers, stolen or lost USB drives, theft of electronic media, theft or loss of hard copy documents, or unauthorized use of an SFCC account.
    3. Even if an employee is not sure that there is a breach, it is best to report the incident to the Office of Information Technology.
    4. Employees who handle personal information, which includes Social Security numbers, bank account numbers, driver’s license numbers, student identification numbers, birthdates, medical information, or any other identifying information must take steps to protect this information by doing the following:
      1. Alert the supervisor of any actual or suspected security breaches involving personal information. This may include lost or stolen computers, exposed paperwork, or unauthorized access to an employee account. If employees are unsure, it is better to err on the side of caution and report the incident.
      2. Take security steps to maintain confidentiality and integrity of personal information:
        1. Lock offices, rooms, and file cabinets.
        2. Do not leave paperwork with personal information on desks or in open areas.
        3. Lock computer access automatically.
        4. Use unique passwords.
        5. Change passwords often.
        6. Do not share or document passwords in unencrypted formats.
        7. Encrypt personal information when sending via email.
        8. Shred documents containing personal information.
        9. Ensure screens are not accessible to other people.
        10. Avoid leaving laptops, tablets, and other devices in autos or unlocked areas.
      3. If a data breach has occurred or is suspected, the employee or supervisor must report the incident to the Chief Information Officer or designee. The employee and supervisor should include as much information as possible:
        1. Nature of the breach,
        2. The information that was exposed,
        3. To whom it was exposed, and
        4. For how long it was exposed.
      4. Based on the type of breach, these additional steps should be taken:
        1. If the breach is believed to have occurred on a particular device or system:
          1. Employee(s) should stop using the device or system.
          2. Employee(s) should immediately contact the Chief Information Officer and the Office of Information Technology.
        2. The Office of Information Technology will determine the best method to evaluate the potential breach.
      5. If the data may have been exposed as a result of a stolen or lost computer:
        1. Report the theft or loss immediately to Campus Security, Safety and Security Office, Main Hallway, Room 101, 505-428-1222.
        2. Provide details of the data that may have been exposed.
        3. Depending on the situation, Campus Security may contact the police.
      6. If the issue may have been a result of unauthorized access to a particular account:
        1. The account should be disabled and passwords changed.
        2. The Office of Information Technology will determine the best method to evaluate the potential breach.
      7. Once a breach or Personally Identifiable Information exposure has been confirmed:
        1. The Office of Information Technology will provide specific details to the Executive Team regarding the breach.
        2. The Executive Team will determine the best course depending on the extent of the breach.
      8. An employee who is aware of a potential breach and does not report the incident may be subject to disciplinary action in accordance with SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action.
  7. Security Awareness Training
    1. Security Awareness Training is required for all employees and will be made available through the KnowBe4 Cloud-based application. Required trainings include:
      1. Annual security awareness training for all employees,
      2. Employees who click on KnowBe4 phishing tests will be required to complete additional training,
      3. Employees whose actions results in a cybersecurity incident will be required to complete additional training,
      4. Additional cybersecurity training may be required for anyone handling sensitive or confidential data, providing access to confidential or sensitive data, or who is responsible for securing systems, networks, software, and databases.
      5. To locate the software log into MySFCC and click on the KnowBe4 icon to access your training plan.
  8. Physical Access to Data Center and IDF Access
    1. Physical access to network and server infrastructure is critical to data security at SFCC. Therefore, it must be limited to designated employees only:
      1. Main Distribution Frame (MDF) access is limited to the Chief Information Officer, directors, system administration, and network administration staff.
      2. Intermediate Distribution Frame (IDF) access is limited to Chief Information Officer, directors, and network administration staff, where appropriate.
      3. In some cases, the physical space is shared with Facilities and Operations staff.
      4. Security staff will not open MDF or IDF doors for any other employees, contractors, or visitors without the express written consent of the Chief Information Officer, Director of Network and Systems Administration, or a Network Administration Staff member.
      5. Anyone entering one of these spaces will need to provide identification at the Security Office and sign in and out of the room.
      6. Information Technology staff must monitor contractors in IDF or MDF during any upgrades or maintenance for which they are responsible. For example, network cabling must be managed by network staff.
      7. No IDF doors will be propped open without the presence of a network administration employee. If a contractor or visitor needs assistance with a door they must arrange an escort from a network administration staff person with a key.
      8. Data Center, Room 122 doors should remain closed at all times and access should only be accompanied by the Chief Information Officer, director, or network or systems administration staff member.
      9. Food and drink are not allowed in these spaces.
      10. Storing of equipment not related to network administration, telephones or system administration is prohibited in IDF and MDF rooms.
  9. Access to a Current or Former Employee’s Data or Email
    1. On occasion, access to a current employee’s data, logs, or email may be required. Supervisors should make every attempt to plan ahead so that the employee delegates access to email or move files to shared folders in advance.
    2. At times, emergencies may require additional access. Every attempt should be made to limit the request to only the required access.
    3. Information Technology staff will attempt to use archiving tools to find only relevant documents. In order to do so, access requests must be made to the Chief Information Officer and include the following:
      1. Approval of the Chief Human Resources Officer.
      2. Specific details of the type of access, file names, and dates required.
    4. Upon approval of the Chief Information Officer or designee, systems administration staff will provide access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the following:
      1. The ability to delete email or files.
      2. The ability to send email as the person unless permission is granted by the individual.
      3. Direct access to the employee’s personal folder.
    5. Access to data or logs for litigation or investigative purposes.
      1. Requests from legal counsel or to complete an investigation must be approved by the Chief Human Resources Officer or designee for employees or the Vice President for Academic and Student Affairs for students.
      2. Requests must identify the email addresses or usernames of individuals and the appropriate search parameters.
      3. The Chief Human Resources Officer, Vice President for Academic and Student Affairs, or designee will forward the request to the Chief Information Officer or designee for assignment.
      4. Systems and network administration staff will complete relevant searches within the current logging and archival technologies.
      5. Any changes to the search parameters must be approved by the Chief Human Resources Officer or the Vice President for Academic and Student Affairs, or designee.
      6. Information Technology staff will provide access to the files to the appropriate executive or designee for review within three working days of receiving the approved search request.
    6. Accessing a Former Employee’s Email or Files
      1. The Office of Information Technology keeps former employee accounts, mailboxes, and network files in their original state for no less than six months. The account is disabled and hidden and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email and files within this time frame.
      2. After six months, accounts may be deleted from email, active directory, and other systems. Information Technology maintains an archive of individual mail and calendaring items for five years; however, they are no longer connected to a user account.
      3. Using the Information Technology ticketing system, the supervisor may request that the former employee’s email be forwarded to another employee and request an auto response to alert external and internal senders of the departure. These requests should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. The forwarding email address requested, and
        4. The language of the requested auto-reply message.
      4. Through the Information Technology ticketing system, the supervisor may request temporary access to the mailbox through Outlook for the purpose of transferring old email. This should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. A description of the access required.
        4. Access will not include the following:
          1. The ability to send email as the former employee,
          2. The ability to delete email or files.
      5. Through the Information Technology ticketing system, the supervisor may request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should include the following:
        1. Former employee’s username, and
        2. Location of current files.
      6. Information Technology staff may contact the Office of Human Resources to ensure that the documents are being handled correctly.

Contact:          Cori Bergen, Chief Information Officer


Updated:         4/4/2023

View Policy