7-1: Information Technology Resources, Usage and Security – Procedures

  1. Network Drives
  2. Password Management
  3. Banner Access Permissions and Requests
  4. Connecting Personal Equipment to SFCC Networks
  5. Procedures for Security Breaches or PII Exposure
  6. Physical Access to Data Center and IDF Access
  7. Accessing a Former Employee’s Email or Files
  1. Network Drives
    1. SFCC provides various shared folders accessible on campus for all students, faculty and staff.
    2. Employees are responsible for storing their important files on these drives, where the data is backed up and archived for retrieval in the event of data loss.
    3. Student personal drives are accessed via the My Documents folders on all PCs on campus and can be browsed to on all SFCC-owned Mac computers. Currently, students are provided with 2 GB of space per semester. These folders are deleted approximately the week prior to the next semester. Students are responsible for making copies of their work prior to the end of the semester.
    4. Staff and Faculty are each provided a personal drive. This drive is mapped as the P: drive. On a PC it can be found by clicking on “This PC” or using the File Explorer. Employees are currently allowed up to 5 GB of space. Once an employee reaches this size limit, they will no longer be able to add additional files without deleting older files. Staff are responsible for storing their files on a server.
    5. Requesting access to other network shares such as departmental or shared drives:
      1. Access to any other shared drives must be approved by the shareowner or the supervisor before access will be provided and submitted through the Information Technology ticketing system. The ticket should include approval from the requestor’s supervisor if the request is for a departmental drive or the data owner if the drive is for a non-departmental group. Permissions to drives will not be provided without these approvals. Once access has been approved and provided, you will need to log out of your computer and back in again. These are the drives:
        • O: Departmental Drives
        • S: Groups, Clubs, Committees and any other Non-Departmental function.
        • P: Personal Drives for Faculty and Staff
        • H, K, L, M: Reserved for System Processes.
  2. Account and Password Management
    1. Every student, staff and faculty member is provided an SFCC network account and an email address. This account is required to log in to SFCC owned devices, MySFCC, SFCC Connect, course registration, wireless, email, and more.
    2. Student accounts will be created approximately two hours after being admitted to the College.
    3. Each person is responsible for their account and any activities which occur under their account.
    4. Each person is required to choose a secure password and to protect that password.
    5. Passwords should never be shared with anyone else. No employee of SFCC will request your password and you should not give out your password either in writing, on a website, or verbally.
    6. If you suspect that your password has been compromised, change your password immediately and report the issue to the OIT Service Desk at 505-428-1222.
    7. Staff, faculty, contractors and any sponsored guests requiring access to the administrative networks have the following requirements:
      1. Passwords must contain letters, numbers and special characters.
      2. Password must be 8 or more characters.
      3. Password must not match the last 10 passwords.
      4. Minimum password age of one day.
        Accounts will lock out for 15 minutes after five bad password attempts and the passwords will expire every 150 days.
    8. Student account passwords must meet the following requirements:
      1. Passwords must be at least 8 characters.
      2. Passwords must not match the previous 10 passwords.
        Accounts will lock out for 15 minutes after five bad password attempts and passwords will expire every 180 days.
    9. Change your password using any of these methods:
      1. Use the change password reset link on the MySFCC login page.
      2. If you have been locked out of your account, go to the OIT Service Desk for password assistance or call 505-428-1222. You will be required to provide proof of identity.
      3. If you know your old password, log in to a campus PC: Click ctl-alt-del and choose Change password.
    10. If you suspect your account has been compromised:
      1. Change your password immediately.
      2. Alert the OIT Service Desk immediately by calling 505-428-1222.
    11. Account Name Changes
      1. Account Names are created automatically and are based on a person’s legal name. Legal name changes may be requested in either Human Resources (employees) or the Registrar’s Office (students).
      2. Upon proof of a legal name change, OIT will assist in updating the name for all relevant accounts.
      3. If you wish to be known by a different name than your chosen name than you may ask to have your chosen name added to your banner account in Human Resources. OIT will then add this name in parentheses to your display name in the Active Directory and the email address book. It will not change your email address or username.
      4. All other name changes require the written approval of the Chief Information Officer, executive-level supervisor, and the Acting Director of Human Resources.
    12. Account Termination
      1. Upon separation from the College, full-time faculty and staff accounts will be disabled immediately. This includes Active Directory, email and Banner. Employees wishing to maintain access for a student account will be issued a new username.
      2. Adjunct faculty accounts will remain active for three semesters beyond their last completed semester.
      3. Student accounts are kept active for six semesters after graduation or the last completed course. Student who want their account to be terminated earlier should contact the Service Desk at 505-428-1222 or visit room 528.
  3. Banner Access Permissions
    1. Banner Access is based on job and campus roles. Additional permissions to access other Banner sections or modules must be requested.
    2. To request Banner access, you must fill out the Banner Access Request form. To locate the form log in to MySFCC.
    3. An employee who needs access should work with their supervisor to determine the required access.
    4. The form must be signed by the employee’s supervisor and the data stewards. Here is a list of current data stewards and their data areas:
      • Purchasing, Payroll, Grants and Business Office: Nick Telles, Vice President of Finance/Chief Financial Officer
      • Student Accounts/Student Accounts Receivable: Barbara Sandoval, Cashier’s Office Manager
      • Web Time Entry approval: Amy Pell, Controller
      • Students: Kathleen Sena, Registrar
      • Financial Aid: Kelly Durbin, Director of Financial Aid
      • Human Resources: Supervisor and Signed off by Yash Morimotio, Acting Director of Human Resources.
    5. Once the form is completed, scan it and submit a ticket or deliver it to the OIT Service Desk, Room 528. The request will be forwarded to the Banner team to provide access.
    6. When an employee is separated from the College, all Banner permissions will be revoked from their account.
      Banner (INB) Password Requirements
      Minimum of 8 characters
      letters and numbers only
      120-day expiration
  4. Connecting Personal Equipment to the SFCC Network
    1. Students, faculty and staff may bring personal devices on campus. These devices may only be connected to the SFCC Student wireless network: SFCC.
    2. All users are required to log in to use the campus wireless network.
    3. To connect to this network:
      1. Select the SFCC network using the appropriate wireless tool,
      2. Open a browser and attempt to visit any web page,
      3. The login page will appear.
      4. Type in your SFCC username and password.
    4. Students, faculty and staff who connect their devices are responsible for ensuring that the latest patches and antivirus software are installed and running correctly. Problematic devices may be blocked from accessing the network. Proof that the issue has been resolved through virus removal, computer rebuild, or permanent correction of vulnerability must be provided to the SFCC Service Desk. It is the responsibility of the device owner to make any repairs. OIT staff will not repair personal devices.
    5. Guests may only use the SFCC Guest network.
    6. Students, staff and faculty are discouraged from using the Guest network because it has limited bandwidth per user and does not provide access to on-campus resources, such as wireless printing, student file shares, and other resources. Problematic devices will be blocked from future use.
    7. Conference attendees may be granted access to the SFCC Event wireless network. Access to this network must be requested in advance of any event through the Conference Services Office.
    8. SFCC provides VPN access for faculty, staff and contractors upon request.
      1. Employees or contractors accessing, manipulating or downloading Personally Identifiable Information (PII) must use an SFCC-provided laptop or computer to connect to the VPN.
      2. Employees are encouraged to use SFCC-provided equipment for this purpose.
      3. Employees wishing to use the VPN on their own personal devices must visit https://sfcc.edu and follow the instructions to install the Global Protect Client.
      4. Employees and contractors are responsible for ensuring that their machine is up-to-date with security patches and has current antivirus/anti-malware and a firewall up and running on their machine.
      5. Problematic machines will be blocked from using VPN until the employee provides proof they have corrected the issue.
  5. Procedures for Security Breaches or Personally Identifiable Information Exposure
    1. ALL SFCC employees are responsible for protecting campus data. Security breaches can involve stolen or lost computers, stolen or lost USB drives, theft of electronic media, theft or loss of hard copy documents or unauthorized use of an SFCC account. Even if an employee is not sure that there is a breach, it is best to report the incident to OIT.
    2. Employees who handle personal information, which includes Social Security numbers, bank account numbers, driver’s license numbers, student identification numbers, birthdates, medical information or any other identifying information must take steps to protect this information by doing the following:
      1. Alert the supervisor of any actual or suspected security breaches involving personal information. This may include lost or stolen computers, exposed paperwork or unauthorized access to an employee account. If employees are unsure, it is better to err on the side of caution and report the incident.
      2. Take security steps to maintain confidentiality and integrity of personal information:
        1. Lock offices, rooms and file cabinets.
        2. Do not leave paperwork with personal information on desks and in open areas.
        3. Lock computer access automatically.
        4. Use unique passwords.
        5. Change passwords often.
        6. Do not share or document passwords in unencrypted formats.
        7. Encrypt personal information when sending via email.
        8. Shred documents containing personal information.
        9. Ensure screens are not accessible to other people.
        10. Avoid leaving laptops, tablets and other devices in autos or unlocked areas.
      3. If a data breach has occurred or is suspected, the employee or supervisor must report the incident to the Chief Information Officer or designee. The employee and supervisor should include as much information as possible:
        1. Nature of the breach,
        2. The information that was exposed,
        3. To whom it was exposed, and
        4. For how long it was exposed.
      4. Based on the type of breach, these additional steps should be taken:
        1. If the breach is believed to have occurred on a particular device or system:
        2. Employee(s) should stop using the device or system.
        3. Employee(s) should immediately contact the Chief Information Officer and the Office of Information Technology.
        4. The Office of Information Technology will determine the best method to evaluate the potential breach.
      5. If the data may have been exposed as a result of a stolen or lost computer:
        1. Report the theft or loss immediately to Campus Security, Safety and Security Office, Main Hallway, Room 101, 505-428-1222.
        2. Provide details of the data that may have been exposed.
        3. Depending on the situation, Campus Security may contact the police.
      6. If the issue may have been a result of unauthorized access to a particular account:
        1. The account should be disabled and passwords changed.
        2. The Office of Information Technology will determine the best method to evaluate the potential breach.
      7. Once a breach or Personally Identifiable Information exposure has been confirmed:
        1. The Office of Information Technology will provide specific details to the Executive Team regarding the breach.
        2. The Executive Team will determine the best course depending on the extent of the breach.
      8. An employee who is aware of a potential breach and does not report the incident may be subject to disciplinary action in accordance with SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action.
  6. Physical Access to Data Center and IDF Access
    1. Physical access to network and server infrastructure is critical to data security at SFCC. Therefore, it must be limited to designated employees only:
      1. MDF access is limited to the Chief Information Officer, directors, system administration and network administration staff.
      2. IDF access is limited to Chief Information Officer, directors and network administration staff, where appropriate
      3. In some cases, the physical space is shared with Plant, Operations and Management staff.
      4. Security Staff will not open MDF or IDF doors for any other employees, contractors or visitors without the express written consent of the Chief Information Officer, Director of Network and Systems Administration or a Network Administration Staff member.
      5. Anyone entering one of these spaces will need to provide identification at the Security Office and sign in and out of the room.
      6. Information Technology staff must monitor contractors in IDF or MDF during any upgrades or maintenance for which they are responsible. For example, network cabling must be managed by network staff.
      7. No IDF doors will be propped open without the presence of a network administration employee. If a contractor or visitor needs assistance with a door than they must arrange an escort from a network administration staff person with a key.
      8. Data Center, Room 122 doors should remain closed at all times and access should only be accompanied by the Chief Information Officer, director or network or systems administration staff member.
      9. Food and drink are not allowed in these spaces.
      10. Storing of equipment not related to network administration, telephones or system administration is prohibited in IDF and MDF rooms.
  7. Access to a Current or Former Employee’s Data or Email
    1. On occasion, access to a current employee’s data, logs or email may be required. Supervisors should make every attempt to plan ahead so that the employee delegates access to email or move files to shared folders in advance.
    2. At times, emergencies may require additional access. Every attempt should be made to limit the request to only the required access.
    3. Information Technology staff will attempt to use archiving tools to find only relevant documents. In order to do so, access requests must be made to the Chief Information Officer and include the following:
      1. Approval of the Acting Director of Human Resources.
      2. Specific details of the type of access, file names and dates required.
    4. Upon approval of the Chief Information Officer or designee, systems administration staff will provide access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the following:
      1. The ability to delete email or files.
      2. The ability to send email as the person unless permission is granted by the individual.
      3. Direct access to the employee’s personal folder.
    5. Access to data or logs for litigation or investigative purposes.
      1. Requests from legal counsel or to complete an investigation must be approved by the Acting Director of Human Resources or designee for employees or the Vice President for Academic and Student Affairs for students.
      2. Requests must identify the email addresses or usernames of individuals and the appropriate search parameters.
      3. The Acting Director of Human Resources, Vice President for Academic and Student Affairs or designee will forward the request to the Chief Information Officer or designee for assignment.
      4. Systems and network administration staff will complete relevant searches within the current logging and archival technologies.
      5. Any changes to the search parameters must be approved by the Acting Director of Human Resources or the Vice President for Academic and Student Affairs or designee.
      6. Information Technology staff will provide access to the files to the appropriate executive or designee for review within three working days of receiving the approved search request.
    6. Accessing a Former Employee’s Email or Files
      1. The Office of Information Technology keeps former employee accounts, mailboxes and network files in their original state for no less than six months. The account is disabled and hidden and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email and files within this time frame.
      2. After six months, accounts may be deleted from email, active directory and other systems. Information Technology maintains an archive of individual mail and calendaring items for five years; however, they are no longer connected to a user account.
      3. Using the Information Technology ticketing system, the supervisor may request that the former employee’s email be forwarded to another employee and request an auto response to alert external and internal senders of the departure. These requests should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. The forwarding email address requested, and
        4. The language of the requested auto-reply message.
      4. Through the Information Technology ticketing system, the supervisor may request temporary access to the mailbox through Outlook for the purpose of transferring old email. This should include the following:
        1. A ticket submitted by the former employee’s supervisor,
        2. The former employee’s username,
        3. A description of the access required.
          Access will not include the following:

          1. The ability to send email as the former employee.
          2. The ability to delete email or files.
      5. Through the Information Technology ticketing system, the supervisor may request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should include the following:
        1. Former employee’s username, and
        2. Location of current files.
      6. Information Technology staff may contact the Office of Human Resources to ensure that the documents are being handled correctly.

Contact: Cori Bergen, Associate Chief Information Officer
505-428-1185,  cori.bergen@sfcc.edu

Updated: 2/11/2019

View Policy