Feedback

7-1: Information Technology Resources, Usage and Security – Procedures

  1. Network Drives
  2. Password Management
  3. Banner Access Permissions and Requests
  4. Office 365
  5. Connecting Personal Equipment to SFCC Networks
  6. Procedures for Security Breaches or PII Exposure
  7. Security Awareness Training
  8. Physical Access to Data Center and IDF Access
  9. Accessing a Former Employee’s Email or Files

 

  1. Network Drives
    1. SFCC provides various shared folders accessible on campus for all students, faculty and staff.
    2. Employees are responsible for storing their important files on these drives, where the data is backed up and archived for retrieval in the event of data loss.
    3. Student personal drives are accessed via the My Documents folders on all PCs on campus and can be browsed to on all SFCC-owned Mac computers. Currently, students are provided with 2 GB of space per semester. These folders are deleted approximately the week prior to the next semester. Students are responsible for making copies of their work prior to the end of the semester.
    4. Staff and Faculty are each provided a personal drive. This drive is mapped as the P: drive. On a PC it can be found by clicking on “This PC” or using the File Explorer. Employees are currently allowed up to 5 GB of space. Once an employee reaches this size limit, they will no longer be able to add additional files without deleting older files. Staff are responsible for storing their files on a server.
    5. Requesting access to other network shares such as departmental or shared drives:
      1. Access to any other shared drives must be approved by the shareowner or the supervisor before access will be provided and submitted through the Information Technology ticketing system. The ticket should include approval from the requestor’s supervisor if the request is for a departmental drive or the data owner if the drive is for a non-departmental group. Permissions to drives will not be provided without these approvals. Once access has been approved and provided, you will need to log out of your computer and back in again.
      2. These are the drives:
        • O: Departmental Drives
        • S: Groups, Clubs, Committees and any other Non-Departmental function.
        • P: Personal Drives for Staff and Faculty
        • H, K, L, M: Reserved for System Processes.
  2. Account and Password Management
    1. Every student, staff and faculty member is provided an SFCC network account and an email address. This account is required to log in to SFCC owned devices, MySFCC, course registration, wireless, email, and more.
    2. Student accounts will be created approximately two hours after being admitted to the College.
    3. Each person is responsible for their account and any activities which occur under their account.
    4. Each person is required to choose a secure password and to protect that password.
    5. Passwords should never be shared with anyone else. No employee of SFCC will request your password and you should not give out your password either in writing, on a website, or verbally.
    6. If you suspect that your password has been compromised, change your password immediately and report the issue to the OIT Service Desk at 505-428-1222.
    7. Staff, faculty, contractors and any sponsored guests requiring access to the administrative networks have the following requirements:
      1. Passwords must contain letters, numbers and special characters.
      2. Password must be 8 or more characters.
      3. Password must not match the last 10 passwords.
      4. Minimum password age of one day.
        Accounts will lock out for 15 minutes after five bad password attempts and the passwords will expire every 150 days.
    8. Student account passwords must meet the following requirements:
      1. Passwords must be at least 8 characters.
      2. Passwords must not match the previous 10 passwords.
        Accounts will lock out for 15 minutes after five bad password attempts and passwords will expire every 180 days.
    9. Change your password using any of these methods:
      1. Use the change password reset link on the MySFCC login page.
      2. If you have been locked out of your account, go to the OIT Service Desk for password assistance or call 505-428-1222. You will be required to provide proof of identity.
      3. If you know your old password, log in to a campus PC: Click ctl-alt-del and choose Change password.
    10. If you suspect your account has been compromised:
      1. Change your password immediately.
      2. Alert the OIT Service Desk immediately by calling 505-428-1222.
    11. Account Name Changes
      1. Account Names are created automatically and are based on a person’s legal name. Legal name changes may be requested in either Human Resources (Employees) or the Registrar’s office (Students).
      2. Upon proof of a legal name change, OIT will assist in updating the name for all relevant accounts.
      3. If you wish to be known by a different name than your chosen name than you may ask to have your chosen name added to your banner account in Human Resources. OIT will then add this name in parentheses to your display name in AD and the email address book. It will not change your email address or username.
      4. All other name changes require the written approval of the CIO, executive-level supervisor, and the Executive Director of HR.
    12. Account Termination
      1. Upon separation from the College, full-time staff and faculty accounts will be disabled immediately. This includes Active Directory, email and Banner. Employees wishing to maintain access for a student account will be issued a new username.
      2. Adjunct faculty accounts will remain active for three semesters beyond their last completed semester.
      3. Student accounts are kept active for six semesters after graduation or the last completed course. Student who want their account to be terminated earlier should contact the Service Desk at 505-428-1222 or visit room 528.
  3. Banner Access Permissions and Requests
    1. Banner Access is based on job and campus roles. Additional permissions to access other Banner sections or modules must be requested.
    2. To request Banner access, you must fill out the Banner Access Request form. To locate the form, log in to MySFCC.
    3. An employee who needs access should work with their supervisor to determine the required access.
    4. The form must be signed by the employee’s supervisor and the data stewards. Here is a list of current data stewards and their data areas:
      • Purchasing, Payroll, Grants and Business Office: Nick Telles, Vice President of Finance/Chief Financial Officer
      • Student Accounts/Student Accounts Receivable: Barbara Sandoval, Cashier’s Office Manager
      • Web Time Entry approval: Amy Pell, Controller
      • Students: Kathleen Sena, Registrar
      • Financial Aid: Kelly Durbin, Director of Financial Aid
      • Human Resources: Supervisor and Signed off by Donna Wright, Interim Director of Human Resources.
    5. Once the form is completed, scan it and submit a ticket or deliver it to the OIT Service Desk, Room 528. The request will be forwarded to the Banner team to provide access.
    6. When an employee is separated from the College, all Banner permissions will be revoked from their account.
    7. Banner (INB) Password Requirements
      1. Minimum of 8 characters
      2. letters and numbers only
      3. 120-day expiration
  4. OFFICE 365
    1. Office 365 is a cloud-based subscription services which allows SFCC to provide access to a variety of Microsoft applications. These include Outlook, One Drive, Office Online, Office ProPlus and more.
    2. Current staff, faculty, and students are provided access to Office 365. Not all features are available to everyone. New offerings may be rolled out to select groups prior to implementation for the entire campus.
    3. Office 365 users are expected to follow all SFCC policies and those of Microsoft Office 365.
    4. Data containing confidential information, such as Social Security Numbers or Credit card information should not be stored on the Office 365 platform, either in email or file form.
    5. Office 365 Training. Microsoft maintains a wide variety of Office 365 Training Videos at this site: https://support.office.com/en-us/office-training-center
    6. Outlook Email. See Policy 7-4 Electronic Mail for more information about Outlook and Office 365 Exchange Email.
    7. Office Pro Plus Installation.
      1. Office Pro Plus is a version of Office that is available through the Office 365 platform.
      2. Staff, faculty, and currently enrolled credit course students have access to Office Pro Plus. Eligible users may download and install Office Pro Plus on up to five supported devices. Supported devices include those with Windows OS, Mac OS, IOS devices, and most android devices.
      3. Install on a Windows or Mac Device:
        1. Log into MySFCC at https://my.sfcc.edu.
        2. Click on the Office 365 Icon from the menu on the left.
        3. Click on the Install Office link in the upper right-hand side of the Office 365 Page.
        4. Download and install the software according to standard device processes.
        5. You will need to log in with your SFCC Username and password to use the software for free. If asked to “sign in” or “sign up” choose “sign in.”
        6. Choose the Work School Account type.
        7. Username is firstname.lastname@sfcc.edu and the password will be the same as the one you use for MySFCC.
      4. Install on an Android or IOS Device:
        1. Log into your device
        2. Visit the app store for your device
        3. Search for the specific app you would like to install. For example: Outlook or Microsoft Teams.
        4. Install the App
        5. Run the app
        6. When asked to “sign in” or “sign up,” choose “sign in.” (SFCC has already created an account for you.)
        7. If asked to use a Work/School or a Personal account, choose the Work/School option.
        8. At the SFCC log in page type in your SFCC username and password.
    8. One Drive
      1. OneDrive is cloud storage provided for the storage of files and information related to SFCC and is a convenient way to have access to your documents from anywhere.
      2. One Drive is available to all students, faculty and staff and includes 1 TB of storage space.
      3. Confidential information, such as credit cards, and social security numbers should not be stored on OneDrive.
      4. OneDrive is installed on all campus Windows 10 pcs. To access it:
        1. Click on the Windows Start Icon and type OneDrive in the search bar.
        2. Enter your SFCC username: firstname.lastname@sfcc.edu.
        3. If you are asked to choose a personal or Work/School account, choose Work/School.
        4. Type in your SFCC Username and password to log in and begin using One Drive.
        5. OneDrive is also available for installation on many mobile devices. Visit your app store and search for One Drive. You will be required to log in with your SFCC username and password.
    9. Office Online. Office Online is a set of online tools including Word, Excel, PowerPoint, and One Note which may be used in a web browser.
      1. All staff, faculty, and students are granted access to Office Online.
      2. Files created, saved, and edited through Office Online are stored within OneDrive.
      3. To access Office Online log into MySFCC and click on the Office 365 Icon.
    10. Microsoft TEAMS. Teams is a chat, file sharing, and collaboration tool that brings services such as Skype, One Drive, and Office Online into one platform.
      1. Teams are currently only available to SFCC faculty and staff.
      2. Student employees may have access to a Teams license by request only. Supervisors should enter a ticket using the OIT Ticket Self Service icon on the desktop.
      3. Teams Administration.
        1. Teams are monitored and governed by the Office of Information Technology.
        2. The Office of Information Technology does not create or manage Teams.
        3. Teams may be created by employees who are members of Office365TeamsCreators group. Access to this group is provided upon request to the OIT Service Desk.
        4. The creator is considered the owner of a team.
        5. The owner is responsible for:
          1. Following the naming convention below,
          2. Creating sub-teams,
          3. Assigning user permissions,
          4. Removing user permissions,
          5. Transferring ownership in the event they are terminating, and
          6. Ensuring information stored within the team conforms with all college policies.
      4. Naming Convention. Those creating Teams should use the following naming convention:
        1. Make sure the name includes a department, committee, or project name
        2. Add “_TEAMS” to the end of your team name.
        3. Names must follow all appropriate SFCC policies and procedures.
        4. Be aware that if your names are too close to the names of an email distribution list it may cause confusion. Adding “_TEAMS” will help avoid confusion.
        5. The Office of Information Technology may correct names to clear up confusion or naming conflicts. Team owners may also correct or edit team names.
      5. Team Cleanup.
        1. Teams will be automatically audited to ensure they are still in use.
        2. Any team that is inactive for one year will be deleted. Owners will receive warning emails 30 and 15 days prior to deletion.
        3. Any deleted team will be recoverable by the owner for 30 days.
      6. Accessing Teams. Teams may be accessed in several ways:
        1. Log into MySFCC and click on the Office 365 Icon.
        2. Choose Teams from the application options.
        3. You may also request the installation of the Teams application on your SFCC computer through the OIT Self Service Icon.
        4. Teams Applications are also available for installation on many mobile devices. Visit your App store and search for Microsoft Teams. You will be required to log in with your SFCC username and password.
      7. Data Storage, Backups and Archiving of Teams and other Office 365 tools.
        1. Data containing information such as Social Security Numbers, credit card numbers, and any other confidential data is not appropriate for storage or use within Teams or any other Office 365 Cloud-based product.
        2. While SFCC currently archives Office 365 content for legal purposes, there are no backups.
        3. Deleted teams or content will be recoverable for 30 days.
        4. Owners must be aware of the data retention rules related to their documents and store them appropriately.
        5. Chat and channel TEAMS data may not be restorable in instances where user accounts become deactivated.
  5. Connecting Personal Equipment to the SFCC Network
    1. Students, faculty and staff may bring personal devices on campus. These devices may only be connected to the SFCC Student wireless network: SFCC.
    2. All users are required to log in to use the campus wireless network.
    3. To connect to this network:
      1. Select the SFCC network using the appropriate wireless tool,
      2. Open a browser and attempt to visit any web page,
      3. The login page will appear.
      4. Type in your SFCC username and password.
    4. Students, faculty and staff who connect their devices are responsible for ensuring that the latest patches and antivirus software are installed and running correctly. Problematic devices may be blocked from accessing the network. Proof that the issue has been resolved through virus removal, computer rebuild, or permanent correction of vulnerability must be provided to the SFCC Service Desk. It is the responsibility of the device owner to make any repairs. OIT staff will not repair personal devices.
    5. Guests may only use the SFCC Guest network.
    6. Students, staff and faculty are discouraged from using the Guest network because it has limited bandwidth per user and does not provide access to on-campus resources, such as wireless printing, student file shares, and other resources. Problematic devices will be blocked from future use.
    7. Conference attendees may be granted access to the SFCC Event wireless network. Access to this network must be requested in advance of any event through the Conference Services Office.
    8. SFCC provides VPN access for faculty, staff and contractors upon request.
      1. Employees or contractors accessing, manipulating or downloading Personally Identifiable Information (PII) must use an SFCC-provided laptop or computer to connect to the VPN.
      2. Employees are encouraged to use SFCC-provided equipment for this purpose.
      3. Employees wishing to use the VPN on their own personal devices must visit https://sfcc.edu and follow the instructions to install the Global Protect Client.
      4. Employees and contractors are responsible for ensuring that their machine is up to date with security patches and has current antivirus/anti-malware and a firewall up and running on their machine.
      5. Problematic machines will be blocked from using VPN until the employee provides proof they have corrected the issue.
  6. Security Breaches & Personally Identifiable Information Exposure
    1. ALL SFCC employees are responsible for protecting campus data.
    2. Security breaches can involve stolen or lost computers, stolen or lost USB drives, theft of electronic media, theft or loss of hard copy documents or unauthorized use of an SFCC account.
    3. Even if an employee is not sure that there is a breach, it is best to report the incident to OIT.
    4. Employees who handle personal information, which includes Social Security numbers, bank account numbers, driver’s license numbers, student identification numbers, birthdates, medical information or any other identifying information must take steps to protect this information by doing the following:
      1. Alert the supervisor of any actual or suspected security breaches involving personal information. This may include lost or stolen computers, exposed paperwork or unauthorized access to an employee account. If employees are unsure, it is better to err on the side of caution and report the incident.
      2. Take security steps to maintain confidentiality and integrity of personal information:
        1. Lock offices, rooms and file cabinets.
        2. Do not leave paperwork with personal information on desks or in open areas.
        3. Lock computer access automatically.
        4. Use unique passwords.
        5. Change passwords often.
        6. Do not share or document passwords in unencrypted formats.
        7. Encrypt personal information when sending via email.
        8. Shred documents containing personal information.
        9. Ensure screens are not accessible to other people.
        10. Avoid leaving laptops, tablets and other devices in autos or unlocked areas.
      3. If a data breach has occurred or is suspected, the employee or supervisor must report the incident to the Chief Information Officer or designee. The employee and supervisor should include as much information as possible:
        1. Nature of the breach,
        2. The information that was exposed,
        3. To whom it was exposed, and
        4. For how long it was exposed.
      4. Based on the type of breach, these additional steps should be taken:
        1. If the breach is believed to have occurred on a particular device or system:
        2. Employee(s) should stop using the device or system.
        3. Employee(s) should immediately contact the Chief Information Officer and the Office of Information Technology.
        4. The Office of Information Technology will determine the best method to evaluate the potential breach.
      5. If the data may have been exposed as a result of a stolen or lost computer:
        1. Report the theft or loss immediately to Campus Security, Safety and Security Office, Main Hallway, Room 101, 505-428-1222.
        2. Provide details of the data that may have been exposed.
        3. Depending on the situation, Campus Security may contact the police.
      6. If the issue may have been a result of unauthorized access to a particular account:
        1. The account should be disabled and passwords changed.
        2. The Office of Information Technology will determine the best method to evaluate the potential breach.
      7. Once a breach or Personally Identifiable Information exposure has been confirmed:
        1. The Office of Information Technology will provide specific details to the Executive Team regarding the breach.
        2. The Executive Team will determine the best course depending on the extent of the breach.
      8. An employee who is aware of a potential breach and does not report the incident may be subject to disciplinary action in accordance with SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action.
  7. Security Awareness Training
    1. Security Awareness Training is required for all employees and will be made available through the KnowBe4 Cloud-based application. Required trainings include:
      1. Annual security awareness training for all employees,
      2. Employees who click on KnowBe4 phishing tests will be required to complete additional training,
      3. Employees whose actions results in a cybersecurity incident will be required to complete additional training,
      4. Additional cybersecurity training may be required for anyone handling sensitive or confidential data, providing access to confidential or sensitive data, or who is responsible for securing systems, networks, software, and databases.
      5. To locate the software log into MySFCC and click on the KnowBe4 icon to access your training plan.
  8. Physical Access to Data Center and IDF Access
    1. Physical access to network and server infrastructure is critical to data security at SFCC. Therefore, it must be limited to designated employees only:
      1. MDF access is limited to the Chief Information Officer, directors, system administration and network administration staff.
      2. IDF access is limited to Chief Information Officer, directors and network administration staff, where appropriate
      3. In some cases, the physical space is shared with Plant, Operations and Management staff.
      4. Security Staff will not open MDF or IDF doors for any other employees, contractors or visitors without the express written consent of the Chief Information Officer, Director of Network and Systems Administration or a Network Administration Staff member.
      5. Anyone entering one of these spaces will need to provide identification at the Security Office and sign in and out of the room.
      6. Information Technology staff must monitor contractors in IDF or MDF during any upgrades or maintenance for which they are responsible. For example, network cabling must be managed by network staff.
      7. No IDF doors will be propped open without the presence of a network administration employee. If a contractor or visitor needs assistance with a door than they must arrange an escort from a network administration staff person with a key.
      8. Data Center, Room 122 doors should remain closed at all times and access should only be accompanied by the Chief Information Officer, director or network or systems administration staff member.
      9. Food and drink are not allowed in these spaces.
      10. Storing of equipment not related to network administration, telephones or system administration is prohibited in IDF and MDF rooms.
  9. Access to a Current or Former Employee’s Data or Email
    1. On occasion, access to a current employee’s data, logs or email may be required. Supervisors should make every attempt to plan ahead so that the employee delegates access to email or move files to shared folders in advance.
    2. At times, emergencies may require additional access. Every attempt should be made to limit the request to only the required access.
    3. Information Technology staff will attempt to use archiving tools to find only relevant documents. In order to do so, access requests must be made to the Chief Information Officer and include the following:
      1. Approval of the Executive Director of Human Resources.
      2. Specific details of the type of access, file names and dates required.
    4. Upon approval of the Chief Information Officer or designee, systems administration staff will provide access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the following:
      1. The ability to delete email or files.
      2. The ability to send email as the person unless permission is granted by the individual.
      3. Direct access to the employee’s personal folder.
    5. Access to data or logs for litigation or investigative purposes.
      1. Requests from legal counsel or to complete an investigation must be approved by the Executive Director of Human Resources or designee for employees or the Vice President for Academic and Student Affairs for students.
      2. Requests must identify the email addresses or usernames of individuals and the appropriate search parameters.
      3. The Executive Director of Human Resources, Vice President for Academic and Student Affairs or designee will forward the request to the Chief Information Officer or designee for assignment.
      4. Systems and network administration staff will complete relevant searches within the current logging and archival technologies.
      5. Any changes to the search parameters must be approved by the Executive Director of Human Resources or the Vice President for Academic and Student Affairs or designee.
      6. Information Technology staff will provide access to the files to the appropriate executive or designee for review within three working days of receiving the approved search request.
    6. Accessing a Former Employee’s Email or Files
      1. The Office of Information Technology keeps former employee accounts, mailboxes and network files in their original state for no less than six months. The account is disabled and hidden and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email and files within this time frame.
      2. After six months, accounts may be deleted from email, active directory and other systems. Information Technology maintains an archive of individual mail and calendaring items for five years; however, they are no longer connected to a user account.
      3. Using the Information Technology ticketing system, the supervisor may request that the former employee’s email be forwarded to another employee and request an auto response to alert external and internal senders of the departure. These requests should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. The forwarding email address requested, and
        4. The language of the requested auto-reply message.
      4. Through the Information Technology ticketing system, the supervisor may request temporary access to the mailbox through Outlook for the purpose of transferring old email. This should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. A description of the access required.
        4. Access will not include the following:
          1. The ability to send email as the former employee,
          2. The ability to delete email or files.
      5. Through the Information Technology ticketing system, the supervisor may request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should include the following:
        1. Former employee’s username, and
        2. Location of current files.
      6. Information Technology staff may contact the Office of Human Resources to ensure that the documents are being handled correctly.

Contact:          Cori Bergen, Associate Chief Information Officer

505-428-1185,  cori.bergen@sfcc.edu 

Updated:         12/10/2019

View Policy