Information Technology and Resources Procedures Printed Version

7.0001 Information technology and Resources - Glossary of Terms

Based on board policy number and Florida Statutes:F.S. 1001.64; 1001.65
Effective Date:09/2015
Date of Review:---

Purpose

The purpose of this procedure is to provide a glossary of terms related to College information technology and resources to ensure their consistent application and interpretation.

Procedure

  1. Information Technology includes, but is not limited to, the following:
    • closed-circuit television
    • College website and web pages
    • computer systems
    • computers
    • data sets
    • distance learning materials and technology
    • e-mail and e-mail systems
    • Internet access
    • Enterprise servers
    • networks (wireless and wired access)
    • on-line courses
    • peripheral equipment (such as printers) and related hardware and software
    • storage devices (such as CD-ROMS and hard or soft drives)
    • support of any courses requiring IT services
    • workstations
  2. The meaning of each of the terms listed here (in alphabetical order) should be interpreted as written regardless of the context in which it is presented (policies, procedures, discussion, announcements, etc.).
    1. Account - Refers to the computer access account, established for each person provided with access to the College's information technology systems.
    2. Contingent Worker/Person of Interest – Refers to an unpaid worker (i.e., can be a volunteer, an intern, or a person paid through a temporary employment agency), who is not classified as an employee but might need access to the College’s information systems to perform assigned tasks.
    3. Data
      1. Confidential data (also called restricted data)– such as: SSN, Grades, Financial aid data, etc., as stated in Data Classification, Security and Roles (Procedure 7.0500), is data protected by law or regulation whose improper use or disclosure could:
        1. Adversely affect the ability of the College to accomplish its mission
        2. Lead to possibility of identity theft by release of personally identifiable information of College constituents
        3. Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
        4. Put the College into a state of non-compliance with contractual obligations
      2. Enterprise data – such as: data in PeopleSoft, Active Directory, etc., is centralized data shared by many employees of the College that is critical to the administration of the College.
      3. Restricted data (also called confidential data)– such as: SSN, Grades, Financial aid data, etc., as stated in Data Classification, Security and Roles (Procedure 7.0500), is data protected by law or regulation whose improper use or disclosure could:
        1. Adversely affect the ability of the College to accomplish its mission
        2. Lead to possibility of identity theft by release of personally identifiable information of College constituents
        3. Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
        4. Put the College into a state of non-compliance with contractual obligations
      4. Sensitive data– By default, ALL INSTITUTIONAL DATA are classified as SENSITIVE:
        1. Data that Data Managers have decided NOT to publish or make public
        2. Data protected by contractual obligations.
        3. Purchasing data, Information covered by non-disclosure agreements … etc. as stated in Data Classification, Security and Roles (Procedure 7.0500)
    4. Data Leakage – The intentional or unintentional misuse of the College’s confidential sensitive data with the intended or unintended consequence of its release to non-authorized users.
    5. Device (also called Personally-Owned Devices or PODs) – Applies to any hardware and related software that is NOT owned or supplied by SSC, but could be used to access SSC resources. This includes devices that employees have acquired for personal use, but also wish to use in the business environment. It includes any personally-owned device capable of processing, storing, and sharing of SSC data and connecting to a network. Examples of such devices include but are not limited to; desktops, laptops, tablets, smart phones, handheld computers, or other removal media storage devices (i.e., USB drives, Optical drives … etc.).
    6. Email- The electronic transmission of information through a mail protocol such as SMTP or IMAP in our case is Microsoft Outlook.
      1. Chain email or letter - Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
      2. Forwarded email - Email resent from an internal network to an outside point.
    7. Encryption – A procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.
    8. Locked - The information technology system account is considered locked when it is no longer available to the user in any capacity.
    9. Malware– Malicious software typically used as a catch-all term to refer to any software that causes damage to a computer, server, or computer network. The most common types of malware are: viruses, worms, Trojan-horses and spyware
      1. Backdoor - A malware type that bypasses the College’s computer authentication systems, potentially impacting all computer systems (e.g., desktops, laptops, tablets, servers, etc.).
      2. Botnet - A malware that is installed on a PC and remotely controlled by the botnet owner to commit cybercrimes.
      3. Rootkit – Stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
      4. Spyware - A program that secretly monitors your online activity and sends the data back to the programmer.
      5. Trojan-horses - An apparently useful and innocent application containing a hidden malicious program.
      6. Virus - Self-replicating malware requiring a host file that depends on human action to spread it.
      7. Virus Hoax – Email containing warnings about virus or malware typically with the intent to mislead users.
      8. Worm - Self-contained malware, needing no host file, which spreads automatically through networks.
    10. Personal Activities– Activities including but not limited to:
      1. Using College email, Internet, or other technology for personal endeavors involving social networking, blogs, personal banking accounts, cell phone operators, gaming, online gambling, social media non-work related websites, etc.
      2. Using College email to send a message that is unrelated to work to contact current or former employees, vendors, agents, or partners.
      3. Using College email to send or forward massive e-mails to public email systems, such as: Gmail, Yahoo, and Hotmail.
      4. Using College systems for instant messaging that is unrelated to work to contact current or former employees, vendors, agents or partners.
      5. Downloading massive non-work related copyrighted materials; software, documents, music, photos, videos, etc. to College information systems or equipment.
    11. Phishing– An attempt to acquire information such as usernames, passwords, money, and credit card information by masquerading as a trustworthy entity in an electronic communication.
      1. Phishing website – An attempt to acquire information (such as usernames, passwords, and credit card details) by masquerading as a trustworthy entity in an electronic communication. Phishing websites usually have a name close to the real website name and look like the original website.
    12. Professional Purposes – Work-related activity that is NOT personal activity.
    13. Proxy Website (or site) – Generally used to describe a Website that allows you to surf the Internet anonymously or allows you to unblock a Website.
    14. Removable Media – Devices or media readable and/or writable by the end user and able to be moved from computer to computer without modification to the computer. This includes flash memory devices (such as thumb drives, SD cards, cameras, MP3 players and PDAs); removable hard drives (including hard drive-based MP3 players); optical disks (such as CD and DVD disks; floppy disks and software disks).
    15. Roles
      1. Employee Roles - Refers to the computer access provided to employees in order for them to accomplish their duties and responsibilities.
      2. Instructor Roles - Refers to the computer access provided to employees who teach students.
      3. Student Roles - Refers to the computer access available to students of the College. Employees who are students of the College are provided with student roles in addition to any employee roles they might be provided in order to accomplish their duties and responsibilities.
    16. Row Level Security – Specifies the data that a particular user is permitted to access.
    17. Sensitive information - Sensitive information is information/data that must be protected from unauthorized access to safeguard the privacy or security of an individual or the College. Protection of sensitive information may be required for legal or ethical reasons. Please refer to Procedure 7.0500 Data Classification, Security and Roles to identify the sensitivity of information.
    18. Social Media- Media designed to be disseminated through social interaction using highly accessible and scalable publishing techniques. Social media uses Internet and web-based technologies to transform how people communicate with one another and receive news, information and entertainment. Types of social media include networks such as Facebook and YouTube but also include blogs and podcasts.
      1. Social Media Accounts - Accounts or profiles created in social media outlets such as Facebook, Twitter, YouTube, Flickr and LinkedIn.
      2. Social Media Poster or User - A person submitting content to any social media site that is officially recognized by Seminole State College of Florida.
    19. Spam – Commonly known as junk email or unsolicited bulk email.
    20. Threat Mitigation – The use of preventative measures to protect the integrity of the College’s computer systems.
    21. Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to internal and external constituents unauthorized to receive that information that information. Please refer to Procedure 7.0500 Data Classification, Security and Roles to identify the sensitivity of information.
    22. Users – All employees who have access to College Information Technology resources via a College-assigned Userid and Password.
Recommended byExecutive TeamDate:09/22/2015
ApprovedPresident, E. Ann McGeeDate:09/28/2015

7.0100 Access to Information Technology and Reassignment

Access to Information Technology and Reassignment (Procedure 7.0100)

Date of Revision:
Authority:F.S. 1001.64; 1001.65; F.A.C. 6A-14.0261; F.A.C. 6A-14.092 Textbook Affordability; Higher Education Opportunity Act of 2008
Date Adopted:01/13; 02/18
Date of Review:12/17
Related Policy:7.010; 7.020

Purpose

To define and outline the procedure for the timely activation of access to the College's information technology systems as it relates to new faculty and staff and those whose work assignment has changed.

Definitions

Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.

Procedure

  1. User Access
    All Seminole State College employees, at the date of hire, will be provided a UserID and password with basic employee security to view his/her self-service benefits and payroll information. Professors and adjunct instructors will be provided instructor security 60 days prior to the beginning of the term the instructor is scheduled to teach.

    A password is private information and each User is responsible for safeguarding his/her own password. Passwords to restricted data must not be shared and it is against College Policy and Procedure to use another's Users account.  Failure to conform to these restrictions may lead to suspension of UserID or other action as provided by the College’s disciplinary action procedure.

    The functional requirements listed in each job description will provide the basis for determining the type of access and the level of security needed by the employee holding that position. Before access to student records is granted, employees must complete an online FERPA Skillsoft module and satisfactorily pass the exam (see Procedure 7.0500 Data Classification, Security and Roles). Professors and adjunct instructors will be required to complete the exam within two weeks after the start of the semester they are scheduled to teach to maintain records access.

    Security approval and access to any college sensitive data will require a completed and properly approved online User Access Request Form. Note that if the User requires access to payroll administration, schedule building, or the financials system, the User must attend mandatory training.

    Steps to Gain Access to the College’s Information Technology Systems
    1. The hiring department completes all sections of the online User Access Request form for the employee.
    2. A supervisor from the hiring department approves the form and forwards it to the CTS Security Administrator for processing.
    3. The Security Administrator sets the User up with the requested access after the FERPA exam has been satisfactorily passed. (see Procedure 7.0500 Data Classification, Security, and Roles).
    4. The Security Administrator will send the User Access Request to Network for email and network setup. A notification will be sent to the User and the hiring department when access has been established.
  2. Reassignment and Notification
    If a User’s status, job responsibilities, or other related situation changes, the User’s Supervisor must notify the Office of Human Resources as well as CTS, using the appropriate process or form. Such changes may include a change in department, position, supervisor, functional requirements, modifications in the User’s access needs, or even a name change. Such notification should be sent prior to the effective date of the change.

    Notification to CTS
    The User/Supervisor should complete a new User Access Request Form and follow the steps listed in Section A above to notify CTS and explain the changes needed in the User’s security access.

    Within two (2) business days of receiving notice of job assignment change, CTS will review the computer access accounts and take appropriate action which may include removing or reassigning User access; notifying department managers and supervisors; and notifying system functional analysts. CTS will maintain records showing the timely reassignment of employee and Contingent Worker/Person of Interest access to information technology systems.
Recommended byExecutive Team/CACDate2/20/2018
Signed byE. Ann McGeeDate2/22/2018

7.0130 Email and Official College Electronic Communication Use

Authority:F.S. Chapter 119; 1001.64; 1001.65
Date Adopted:01/16
Date of Review:10/19
Related Policy:1.160; 7.010; 7.020

 Purpose

Seminole State College’s official electronic communications are delivered through the College’s email, social media platforms, web site and applicable learning management systems (“communication(s) system(s)”) systems. These communications systems are variously available to students, faculty, staff, retirees, members of the District Board of Trustees, members of the public, and other authorized constituents to improve educational and administrative efficiency. The purpose of this procedure is to provide guidelines for the management and use of the College's electronic communications systems. 

Definitions

Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.  Additionally, the following terms used in this Procedure have the following definitions:

“Official Account” means a social media platform or website that is approved and operated in accordance with this procedure and is actively managed by College employees in the Marketing & Communications department.

 “Authorized Account” means a social media platform or website that is not an “Official Account” but is  approved and operated in accordance with this procedure and is actively managed by a College employee outside the Marketing & Communications department.

Procedure

A.  Authorized Users 

  1. Only College students, faculty, staff, retirees, members of the District Board of Trustees, and other constituents who have received permission under the appropriate College authority are authorized users of the College's communications systems.
  2. Students
    1. Seminole State College students will have access to email and learning management systems and can be reached by College faculty and staff as needed. Communications sent via the College-provided communications systems may include, but are not limited to, information regarding attendance, grades, admissions, enrollment services, advising, financial aid, emergency closures, changes to class schedules, etc.
    2. The Computing and Telecommunication Services (CTS) Department will remove a student’s email after three (3) consecutive terms of student inactivity. (e.g. no enrollment, no valid application, collections).  Students will be notified via e-mail thirty (30) days prior to removal. 
  3. Faculty, Staff, and Retirees
    1. Faculty will determine how email and the learning management system are used in their classes and will specify requirements in the course syllabus. 
    2. This procedure will ensure that all students are able to comply with electronic communications-based course requirements specified by faculty. Faculty are authorized to use email for their sole communications of certain elements related to their classes. 
    3. All Seminole State class information that is disseminated electronically must be sent through the College’s electronic system (e.g., email, the learning management system, or similar College-adopted programs.) 
    4.  The Computing and Telecommunication Services (CTS) Department will remove an employee’s email account upon notification that employment has been terminated. 
    5. An email account must be requested for a retiree who wants access to the system. 
    6. A retiree’s account will be removed if it is not used for six consecutive months. The email account may be reinstated at the College’s discretion. 
  4. Members of the District Board of Trustees
    1. An email account will be established for all Board members.
    2. Communication sent via Seminole State email is considered adequate notification of College-related business.
    3. When a term of service has ended for a Board member, that person's account will be removed.

B.  Email as a Public Record

  1. Email communications are protected by the same laws and policies, and are subject to the same limitations, as communications in other media. Likewise, users shall not use College email for any purpose that violates federal law, state or local law, or College policies and procedures.
  2. Email that is created or received in connection with the transaction of the official business of the College is considered a public record. Consistent with Chapter 119, Florida Statutes, and College policies and procedures, email communications may be subject to public inspection and/or copying. Retention laws and regulations, unless expressly exempted by law, may apply.
  3. Under some conditions, personal emails could become classified as a public record. 
  4. Messages containing important or valuable information must be retained securely for future reference. (Refer to Policy 7.020 Data Classification and Security, and Procedure 7.0500 Data Classification, Security and Roles.

 C.  Social Media Rules

  1. General Rules:
    1. All College Official and Authorized Accounts are subject to the standards set forth in this Procedure, and creation and maintenance of Official and Authorized Accounts may occur only as authorized in this Procedure.  Only accounts created under this Procedure shall be considered Official or Authorized Accounts.  All other social media posts or accounts shall not be considered Official or Authorized Accounts or represent the official position of the College or any of its trustees, officers, employees, or independent contractors.
    2. The College considers its Official and Authorized Accounts which accept comment to be moderated online discussion sites and not public fora. Content must be restricted to the posted topic and subject matter. In addition, the College reserves the right to remove posts and comments that contain:
      1. Profane language or content;
      2. Content that promotes, fosters or perpetuates discrimination against protected classes;
      3. Sexual harassment content;
      4. Conduct or encouragement of illegal activity; 
      5. Spam or comments that include links to external online sites;
      6. Solicitations of commerce or advertisements including promotion or endorsement; 
      7. Promotions of particular commercial services, products or political candidates or organizations; 
      8. Content that violates legal ownership interest of any other party, such as copyright or trademark infringement; and
      9. Information that may compromise the safety or security of the public or public systems, including the College’s information technology systems.
    3. Violators of this policy may have their posts and comments removed from the College’s Official and Authorized Accounts. Violations of this policy may prompt the College to further restrict an individual’s commenting on or access to the College’s Official and Authorized Accounts.
    4. Copyright and intellectual property rights of others and of the College shall be respected when posting information. Questions about fair use of copyrighted material shall be directed to the Office of Legal Affairs in advance of any posting.
    5. Social media users must obey the terms and conditions imposed by the social media website in which the user is participating.
    6. When an administrator of one of the College’s Official or Authorized social media platforms suspects a violation of this Procedure, they shall contact the Marketing & Communications department of the College, which will review and authorize removal of a post when appropriate. When appropriate and if possible, an approved social media administrator will contact the commenter regarding a violation of the College’s Social Media Comments Policy to notify the commenter and/or to request voluntary removal of the comment. Appeals regarding the Marketing and Communications department’s decision to remove a post shall be submitted via email to socialmedia@seminolestate.edu. The Marketing and Communications department will respond to appeals within two business days.  Posts shall be subject to removal pending appeal.
  2. Rules for College Employees using Social Media Accounts:
    1. College employees may not use social media accounts in ways that violate federal, state, local and, when applicable, foreign laws, as well as College policies or procedures.  Employees who violate these laws, policies or procedures may face disciplinary action.
    2. Confidential, proprietary, or any other information protected or exempted by law about Seminole State College, students, employees, or alumni must be protected and may not be posted to any social media site. Employees must follow applicable federal requirements such as FERPA, HIPAA, Chapter 119 of the Florida Statutes, as well as NJCAA regulations. Social media users shall adhere to all applicable College privacy and confidentiality policies. Employees who share confidential or proprietary information may face disciplinary action.
    3. Employees shall not use the Seminole State name, logo or any other College images or iconography  to promote a commercial product, cause, or political party or candidate not authorized by the College.
  3. Rules for Official Accounts and Authorized Accounts:
    1. College employees shall not portray themselves as acting or speaking on behalf of the College or any part of the College, or create a social media account as an Official Account, unless authorized to do so by both the Vice President with jurisdiction over the requestor’s department (or designee) and the Vice President, Marketing & Strategic Communications (or designee). The request to create an Official Account shall include written justification.  Even when acting in their College capacity, social media users shall not represent their own positions and opinions on social media as those of the College.
    2. Employees designated as administrators (or designee) of Official or Authorized Accounts are the only persons authorized to post, create, and manage Official and Authorized Accounts.  Employees designated as administrators of Official or Authorized Accounts are  responsible for all postings on accounts they manage.
    3. Official Accounts must be reviewed and approved through an application process.  Authorization to present a social media account as an official College activity must come from both the Vice President, Marketing & Strategic Communications (or designee), and the Vice President with jurisdiction over the requestor’s unit (or designee). Each social media account will have a responsible administrator(s) assigned.
    4. Administrators must be an employee of the College at the time of appointment. The Marketing & Communications department will remove an employee as a social media administrator upon notification that employment has been terminated or transferred to another department. Managers of social media platforms will be removed by the page’s administrator upon notification that employment has been terminated or the employee has transferred to another department. Employees may also be removed by the Vice President, Marketing & Strategic Communications (or designee) as social media administrators or managers if they violate this social media procedure. Administrators and or managers who violate this social media procedure may request   reinstatement via email to socialmedia@seminolestate.edu.
    5. Each Official Account must include a disclaimer statement, in a form approved by the Marketing & Communications department, regarding content and opinions contained on the site.
    6. All Official and Authorized Accounts will be publicly listed by the College in a directory of official social media webpages maintained by the Marketing & Communications department.
    7. Student organizations shall not be entitled to create Official or Authorized Accounts.  Student organizations shall not use any College trademarks, logos, or other intellectual property on their social media accounts, but may use the words “SSC”, “Seminole State” or “Seminole State College” in the name of their student organization if the organization has been recognized by the Office of Student Life.   The College may require student organizations using the words “SSC”, “Seminole State” or “Seminole State College” to use disclaimer language approved by the Marketing & Communications Department on their social media accounts.

D.  Conditions

  1. All users are expected to read and appropriately respond to their College communications on a frequent and consistent basis. The College recommends checking communications at least once each work day since certain communication may be time-sensitive.
  2. Authorized users have the responsibility to use College communications in an efficient, effective, ethical and lawful manner related to College business. Users are expected to immediately report any misuse of College communications to the Office of the Vice President of Information Technology and Resources.
  3. All use of College communications must be consistent with College policies and procedures, including but not limited to, Policy 7.010Acceptable Use of College Technology.
  4. Official communication includes but is not limited to messages from the President, policy and procedure information, academic notifications, emergency notifications, and event announcements.
  5. An employee who represents an employee group, organization, association, etc. may be permitted to use the College’s email system to communicate with their membership and/or other College employees, as long as the individual or group has been approved to do so by the appropriate Vice President. Use of the College’s email system is a privilege that may be revoked at any time due to misuse or violation of Policy 7.010 Acceptable Use of College Technology or State Statute.  
  6. All users are expected to protect confidential and proprietary information and such information about Seminole State students, employees, or alumni should not be sent via email. Users must adhere to all applicable College privacy and confidentiality policies and follow applicable federal requirements such as FERPA and HIPAA, as well as NJCAA regulations. Those who share confidential or proprietary information may face disciplinary action or termination.
  7. When sending email, users must be mindful of the copyright and intellectual property rights of others and of the College. For guidance, consult Copyright and Fair Use Resources at https://www.seminolestate.edu/library/services/copyright/copyright-faculty. Questions regarding fair use or copyrighted material should be directed to the Seminole State College library.
  8. The College can validate only those emails that are sent from a valid College email address. Messages from personal email accounts (e.g., cfl.rr.com, hotmail.com, etc.) might not be received, and the sender may be asked to resend the message using an official Seminole State address.
  9. Authorized users shall have no expectation of privacy in anything they store, send or receive on the College’s email system.
  10. Users should exercise caution especially when committing sensitive or confidential information to email. 
  11. The College may monitor messages without prior notice or consent.
  12. The College may access email accounts for various reasons including, but not limited to, maintaining the system, investigating security or abuse incidents, investigating alleged violations of College policies or procedures, or circumstances where the account holder can no longer access the email system for any reason (e.g. death, disability, illness, or temporary/permanent separation from the College.) 
  13. Users shall not misrepresent themselves or another person’s identity or affiliation in email communications.
  14. Users shall not alter, disable, test, reverse-engineer, or otherwise interfere with or circumvent any aspect of College email services to find limitations and vulnerabilities or to evade filtering capabilities.
  15. Email use that intentionally distributes or supports viruses, worms, Trojan horses, malware, corrupted files, hoaxes, snooping, spoofing, spam, phishing, spidering, or other activities of a destructive or deceptive nature is prohibited.
  16. Occasional and infrequent personal use is permitted, provided personal use is kept to a minimum and does not interfere with performance, productivity, or work duties and responsibilities. 
Recommended byExecutive Team/CACDate11/17/2020
Signed byPresident, Georgia L. LorenzDate12/1/2020

7.0150 Personally-Owned Devices (PODs) for Information Technology

Authority:F.S. 1001.64; 1001.65; F.A.C. 6A-14.0261
Date Adopted: 
Date of Review:6/22
Related Policy:7.010

Purpose

To allow College technology users, including but not limited to faculty, staff, administrators, other employees, students, and contractors, to work with personally-owned devices (POD), also known as BYOD (Bring Your Own Device), while maintaining the confidentiality, integrity, and availability of Seminole State College (“SSC”) data and systems. The use of personally-owned devices to access the College’s systems is a privilege that may be revoked at any time, and not a right.

Procedure

  1. Acceptable Use of Bring Your Own Device (BYOD) or Personally-Owned Device (POD)
    This procedure applies to all College technology users, including faculty, staff, administrators, other employees, students, contractors, consultants, and other agents who use a BYOD or POD (see Procedure 7.0001 B.5. for list of PODs) to access, store, backup, or share any of the College’s data or systems.
  2. College Responsibilities
    1. The College is not responsible for lost, damaged, or stolen PODs. When bringing PODs to the College, it is the owner’s responsibility to ensure that his/her device is secured.
    2. The College assumes no responsibility for service charges owners might incur while using PODs. This includes, but is not limited to, charges related to data plans, texting fees, and security programs.
    3. The College will not provide IT support, additional electronic power access, or network drops to support PODs.
    4. The College provides filtered Internet access and monitors user activity on the College’s network, including sites visited, content viewed, and communications sent and received. The College may monitor network activities identifying suspicious patterns without prior notice or consent.
    5. In the event of suspected misuse or violation of College policies, procedures, or guidelines regarding access to the network or use of the device, the appropriate Data Custodian (see Procedure7.0500) may examine an owner’s personal device and search its relevant contents.
    6. When warranted, the College can and will establish audit trails in some situations to track PODs and the resulting reports may be used for investigation of possible breaches and/or misuse. The owner agrees to and accepts that his or her access and/or connection to the College’s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. This is done to identify accounts/computers that may have been compromised by external parties. In all cases, data protection remains the College’s highest priority.
  3. Employee/Student Responsibilities
    With this in mind, POD owners are allowed to bring personal electronic devices into the College. However, when POD owners bring their personally-owned devices, they must follow all of the Acceptable Use of College Technology (Policy 7.010), as well as the following guidelines:
    1. Owner use of PODs within instructional settings should not, in any way, interfere with teaching, learning, or productivity.
    2. PODs should be silenced in classrooms during class times, as well as, professional gatherings, including staff meetings, professional development sessions, conference calls, and other College events.
    3. PODs should not impair the security of the College’s network. Owners are expected to maintain up-to-date antivirus and antispyware protection on all devices that are connected to the College’s wireless network or any College server. Devices without up-to-date security programs may be denied access to the network.
    4. PODs shall not, at any time, be physical connected to the College’s wired network. Only the College’s wireless network may be used for PODs. The only exception to this is when a faculty member has authorization while instructing a class in an existing physical smart classroom.
Recommended byExecutive Team/CACDate:06/21/2022
ApprovedPresident, Georgia L. LorenzDate:06/22/2022
Authority:F.S. Chapter 119; 1001.64; 1001.65
Date Adopted:09/15
Date of Review:08/16
Date of Revision:10/16
Related Policies:1.160; 7.010; 7.020; 7.050


Purpose

The College has specific rules for accessing the Internet and expects all users including students, faculty, staff, and members of the general public, using the College’s Internet service to comply in all respects to institutional and external standards for appropriate use. To ensure compliance with these rules, the College may monitor traffic going out to the Internet without prior notice or consent.

Definitions

Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure. 

Procedure

The College’s authorized Internet users shall have no expectation of privacy in anything they browse, send or receive when using the College’s Internet service

  1. Permitted Uses of the Internet:
    1. The Internet connection provided by the College is primarily for work-related or academic purposes.
    2. Occasional and reasonable personal use is permitted, provided that personal use should be kept to a minimum and should not interfere with the performance, productivity, or work duties and responsibilities.
    3. Users will observe professional and ethical guidelines, applicable federal or state laws, and any College procedures.
  2. Prohibited Uses of the Internet:
    Users will not use the College’s Internet to view, download, save, receive, or send material related to or including:
    1. Offensive content of any kind, including pornographic material.
    2. Promoting discrimination on the basis of race, color, religion, pregnancy, national origin, ethnicity, age, sex, gender, veterans or military status, disability, sexual orientation, genetic information, marital status, or any other protected factor.
    3. Threatening or violent behavior.
    4. Illegal activities.
    5. Commercial messages.
    6. Gambling of any form or type.
    7. Personal financial gain.
    8. Forwarding email chain letters.
    9. Spamming email accounts for College email services or machines.
    10. Material protected under copyright laws, including but not limited to MP3 music, movies, and other entertainment files.
    11. Sending or dispersing without authorization, College restricted, sensitive, or confidential data to students, employees, business associates, or anyone outside the College.

i This does not preclude the strict use for academic or pedagogic purpose of materials that some might deem to be offensive.


Recommended byExectutive TeamDate10/18/2016
Signed byPresident E. Ann McGeeDate10/26/2016


7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees

Authority:F.S. 1001.64; 1001.65; F.A.C. 6A-14.092 Textbook Affordability; Higher Education Opportunity Act of 2008
Date Adopted:07/01/2006
Date of Revision:05/09; 08/11; 03/2012; 09/2014; 09/2018; 05/20
Related Policy:1.020; 5.200; 7.010; 7.020

Purpose

To define and outline the procedure for the timely inactivation of access to the College's information technology systems as it relates to employees who are terminating their employment or have breaks in service with the College.

Definitions

Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.

Procedure

  1. Notification to the Human Resources Office (HR) of employee terminations. Supervisors are required to notify HR when employees are terminating their employment with the College.
    1. Full-time Employees - The employee termination notification to HR occurs through the receipt of employee resignation letters, supervisor recommendations for non-renewal of employee contracts, supervisor recommendations for employee dismissals, etc.
    2. Part-Time Employees - The employee termination notification occurs through the receipt of supervisor emails to HR, employee resignation letters, supervisor recommendations for employee dismissals, etc. In addition, as a secondary measure, to ensure that HR is aware of terminations or breaks in service of part-time employees, HR monitors the dates that employees are last paid. This is accomplished through the review of monthly reports from the Human Resources system. Part-time employees can stay in active employment status for up to four months beyond their last date paid at which time, the Human Resources department will enter termination information in the system.
       
  2. Notification to the Computer and Telecommunication Systems department (CTS) of employee terminations.
    1. HR or Supervisors notify CTS, through the College's electronic mail system, of employee terminations within two business days of receiving the termination notice or of making the determination by the method of monitoring when part-time employees were last paid, as indicated above.  In addition, a termination action entered in the system by HR, will trigger the inactivation process. 
  3. Inactivation of Employee Access to the College's Information Technology Systems
    1. Within two business days of receiving electronic notice of employee terminations, CTS reviews the security assigned and removes any non-self-service access. 
    2. CTS determines what changes need to be made regarding access to the College's information technology systems by following these steps:
      1. All student roles remain active but all non-self-service roles are removed. Therefore, terminating employees who are students of the college are allowed access through their Student Roles and, if applicable, their view only self-service roles. 
      2. Determine whether the Professor or Adjunct instructor has completed the FERPA training in the period specified in Procedure 7.0100.  If they have not, the instructor may be subject to discipline up to and including termination. 
      3. For Retirees, please refer to procedure 2.4600 Retiree Benefit Program, for additional information regarding access to the College’s information technology systems.

         4.   Evidence of Timely Inactivation of Access to the College's Information Technology  Systems

  1. CTS maintains records that show evidence of the timely inactivation of employee access to the information technology systems. 
Recommended by:Executive Team/CACDate11/17/2020
Signed by:President, Georgia L. LorenzDate12/1/2020

7.0400 Information technology Security Awareness

Purpose

To ensure that the College community is aware of Seminole State College’s security policies and acceptable use of Information Technology resources.

Definitions

Users – All employees who have access to College Information Technology resources via a College-assigned Userid and Password.

Procedure

Security Awareness Statement:

  1. A hard copy of the College's Acceptable Use of Information Technology Policy 7.010and the Security Awareness Statement will be distributed to each employee attending new employee orientation.
  2. Key points of the policy will be communicated to attendees and their questions addressed during the orientation session.
  3. Computing & Telecommunications Services (CTS) will send an electronic communication to all computer users each year during the Fall Term requesting acknowledgement of the Security Awareness Statement.
  4. CTS will send follow up electronic communication to unresponsive users and their supervisor will be copied on this e-mail, expecting timely acknowledgment of the policy.
Recommended byExecutive TeamDate10/16/2012
ApprovedPresident, E. Ann McGeeDate10/19/2012

7.0500 Data Classification, Security and Roles

Authority:Family Educational Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act of 1999 (GLBA); Health Insurance Portability and Accountability Act (HIPAA) of 1996; F.S. 119.01; 257.36; 1001.64; 1001.65
Date Adopted:01/13
Date of Review:08/16
Date of Revision:10/16
Related Policies:7.010; 7.020

Purpose

Seminole State College provides valuable technological resources to support educational activities and administrative functions. These resources, including computing systems and software, as well as internal and external data, voice, and video networks, are relational and shared resources. To preserve these resources for the common good, the College expects all users, including students, faculty, staff, administrators, other employees, and members of the general public using Seminole’s information technology resources, to comply in all respects with institutional and external standards for their appropriate use.

Procedure

  • Data Classification
    • Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
      Data CategoryDescriptionExamples
      Restricted

      Data protected by law or regulation whose improper use or disclosure could:

      • Adversely affect the ability of the College to accomplish its mission
      • Lead to possibility of identity theft by release of personally identifiable information of College constituents
      • Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
      • Put the College into a state of non-compliance with contractual obligations
      • Social security numbers
      • Grades
      • Financial aid data
      Sensitive
      • Data that Data Managers have decided NOT to publish or make public
      • Data protected by contractual obligations.

      By default, ALL INSTITUTIONAL DATA

      are classified as SENSITIVE

      • Purchasing data
      • Information covered by non-disclosure agreements
      Public
      • Low level of sensitivity
      • Data that the general public may be granted access to in accordance with Florida Statutes Chapter 119 Public Records and FERPA
      • Directory information
      • Academic course descriptions
  • Data Security
    1. Data in Restricted, Sensitive and Public categories require security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the College, result in financial loss, or violate law, policy or College contracts.
    2. Security access by employees of the College will be implemented in compliance with FERPA requirements as follows:
      1. FERPA makes it clear that school officials with legitimate educational interests may be given access to personally identifiable information about students.
      2. A person employed by the College in an administrative, counseling, supervisory, academic, student affairs, research position, or a support person to these positions may be granted access to FERPA-protected data when that data is relevant to the accomplishment of assigned duties or a determination about a student.
      3. Persons must complete an online FERPA module and satisfactorily pass an exam prior to classes starting before security approval and access to student records will be granted. An exception may be provided for new faculty and adjunct instructors in their first term, if they complete the module and exam within two weeks after the start of the semester to maintain security access.
    3. Security measures for data are set by the Data Custodian, working in cooperation with the Data Stewards, as defined below. The following roles and responsibilities are established for carrying out data policy:
  • Security Roles and Responsibilities 
    1. The functional requirements listed in a job description determine the type of data and the level of system access an employee will need to perform his/her job. These requirements are used to develop and assign a specific User Profile and Security Role to the employee. When implemented, the User Profile and the Security Role provide the employee with access needed to perform his/her job while maintaining the security and integrity of College data. CTS is responsible for maintaining a list of security access assigned to each employee.
    2. Data Trustees, Data Stewards, and Data Custodians
      Data Trustees, Stewards, and Custodians are responsible for establishing and carrying out College data policy. They will:
      1. Implement the security plan.
      2. Ensure that users receive the appropriate access to the system.
      3. Resolve functional security issues as well as troubleshoot custodial security problems.
      4. Assure cross-functional security compatibility.
      5. Audit security compliance regularly.
      6. Review and update the security plan regularly.
    3. Data Trustee (Administrator)
      Data Trustees are senior College officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning Data Stewards, participating in establishing policies, and promoting data resource management for the good of the entire College.
      Data TrusteesData Type

      President

      All College Data

      Chief Financial Officer

      Financial Data and HR Data

      Chief Information Officer

      Information Technology Data

      Chief Student Affairs Officer

      Student Data

    4. Data Steward (Approver)
      Data Stewards are College officials having direct operational-level responsibility for information management – usually department directors. Data Stewards are responsible for data access and policy implementation issues.
      Data StewardsData Type

      Associate Director, Payroll Services

      Payroll, Time and Labor; Payroll, Time and Labor Setup Tables

      Associate Director, Student Accounting

      Student Financials Data, Student Financials System Setup

      Associate Vice President, Financial Services

      Financial Data, Financial Data Setup Tables

      Associate Vice President, Human Resources

      Human Resources Data, Human Resources Setup Tables

      Associate Vice President, Information Technology and Resources

      Information Technology, Data Correction

      Director, Curriculum, Credit and Academic Scheduling

      Curriculum, Instructor and Scheduling Information, Associated System Setup

      Director, Enrollment Services/Registrar

      Student Data (including Counseling, Admissions, Testing, and Enrollment Services), System Setup for Student Data, Row-Level Security

      Director, Facilities

      Maintenance Management Data, Maintenance Management Setup

      Director, Student Financial Resources

      Student Financial Aid Data, Student Financial Aid System Setup



    5. Data Custodian (Owner)
      The Computing and Telecommunication Services Department (CTS) is the Data Custodian. The Custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
      Data Custodians include:
      VP, Information Technology and Resources/CIO
      Associate Vice President, Information Technology and Resources
      Director, Network and User Support Services
    6. Data User (User)
      Most College Faculty and Staff are assigned the role of “Data User.” Data Users are individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

      Detailed information regarding User access and inactivation is located in:
      Procedure 7.0100 Access to Information Technology and Reassignment, and
      Procedure 7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees.
  • Security Review
    1. Each Data Steward will conduct an annual data security review. In addition, CTS will conduct an annual review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the College community on information technology security and privacy issues. CTS will assure that procedures and responses are appropriately reflective of those widely practiced at other colleges.
  • Confidentiality
    1. Confidentiality of data and/or records subject to this procedure shall be determined in accordance with State and federal laws including, but not limited to, Florida’s Public Records Act, Chapter 119, Florida Statutes, and the Family Educational Rights and Privacy Act (FERPA).
    2. Confidentiality Agreement
      Seminole State College maintains information that is sensitive and valuable. Such information is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. The exposure of such information to unauthorized individuals could cause permanent harm to the College or members of the College community. All employees are expected to sign the Confidentiality Agreement (at the end of this document) before access can be granted to College restricted data.

Recommended by

Executive Team/CAC

Date

09/18/18

Signed by

President Georgia Lorenz

Date

09/27/18


Confidentiality Agreement

I understand that student, employee, and financial information from any source and in any form, may be confidential and is available to me solely for the performance of my official duties as a Seminole State College employee. I will protect the privacy and confidentiality of student, employee, and financial information to which I have access in accordance with State and Federal records/privacy laws as well as College policy and procedures, and will use it solely for the performance of my official duties, whether on or off site. I also understand that I may have the ability to access student information outside my unit of responsibility, but will only utilize that access as it applies to my unit of responsibility.

I Further Agree That:

  1. I will only access information I need to do my job.
  2. I will protect the privacy of student, employee, and financial information.
  3. I will keep my password secret and I will not share it with anyone, including family members.
  4. I will log off any password-protected application before leaving my workstation. This includes my personal computer while working at home.
  5. I will tell my supervisor if I think someone knows or is using my password.
  6. I will not show, tell, copy, give, sell, review, change, trash or otherwise utilize any confidential information except as it relates to my job. If it is part of my job to do any of these tasks, I will follow the correct department procedure (such as shredding confidential papers before throwing them away).
  7. I will not misuse or be careless with confidential or sensitive information.
  8. I will not use anyone else’s password.
  9. I will not share any confidential or sensitive information even if I am no longer a Seminole State employee.
  10. I will tell my supervisor if I think someone else is violating this agreement.
  11. I am responsible for actions that result when I gain access using my password.
  12. I am responsible for my use of confidential information.
  13. I am responsible for my failure to protect my password or access to confidential information.
  14. I know that my access to confidential information may be audited.
  15. I know that confidential information I learn on the job does not belong to me.
  16. I know that Seminole State may take away my security access at any time.

Failure to comply with this agreement may result in disciplinary action regarding my employment at Seminole State College and/or civil or legal penalties. By signing this Agreement, I agree that I have read, understand, and will comply with it.

 

_______________________________               __________________                                    Employee Signature                                            Date                                                                                            

Contact