Information Technology and Resources Procedures Printed Version
7.0001 Information technology and Resources - Glossary of Terms
Based on board policy number and Florida Statutes: | F.S. 1001.64; 1001.65 |
---|---|
Effective Date: | 09/2015 |
Date of Review: | --- |
Purpose
The purpose of this procedure is to provide a glossary of terms related to College information technology and resources to ensure their consistent application and interpretation.
Procedure
- Information Technology includes, but is not limited to, the following:
- closed-circuit television
- College website and web pages
- computer systems
- computers
- data sets
- distance learning materials and technology
- e-mail and e-mail systems
- Internet access
- Enterprise servers
- networks (wireless and wired access)
- on-line courses
- peripheral equipment (such as printers) and related hardware and software
- storage devices (such as CD-ROMS and hard or soft drives)
- support of any courses requiring IT services
- workstations
- The meaning of each of the terms listed here (in alphabetical order) should be interpreted as written regardless of the context in which it is presented (policies, procedures, discussion, announcements, etc.).
- Account - Refers to the computer access account, established for each person provided with access to the College's information technology systems.
- Contingent Worker/Person of Interest – Refers to an unpaid worker (i.e., can be a volunteer, an intern, or a person paid through a temporary employment agency), who is not classified as an employee but might need access to the College’s information systems to perform assigned tasks.
- Data
- Confidential data (also called restricted data)– such as: SSN, Grades, Financial aid data, etc., as stated in Data Classification, Security and Roles (Procedure 7.0500), is data protected by law or regulation whose improper use or disclosure could:
- Adversely affect the ability of the College to accomplish its mission
- Lead to possibility of identity theft by release of personally identifiable information of College constituents
- Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
- Put the College into a state of non-compliance with contractual obligations
- Enterprise data – such as: data in PeopleSoft, Active Directory, etc., is centralized data shared by many employees of the College that is critical to the administration of the College.
- Restricted data (also called confidential data)– such as: SSN, Grades, Financial aid data, etc., as stated in Data Classification, Security and Roles (Procedure 7.0500), is data protected by law or regulation whose improper use or disclosure could:
- Adversely affect the ability of the College to accomplish its mission
- Lead to possibility of identity theft by release of personally identifiable information of College constituents
- Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
- Put the College into a state of non-compliance with contractual obligations
- Sensitive data– By default, ALL INSTITUTIONAL DATA are classified as SENSITIVE:
- Data that Data Managers have decided NOT to publish or make public
- Data protected by contractual obligations.
- Purchasing data, Information covered by non-disclosure agreements … etc. as stated in Data Classification, Security and Roles (Procedure 7.0500)
- Confidential data (also called restricted data)– such as: SSN, Grades, Financial aid data, etc., as stated in Data Classification, Security and Roles (Procedure 7.0500), is data protected by law or regulation whose improper use or disclosure could:
- Data Leakage – The intentional or unintentional misuse of the College’s confidential sensitive data with the intended or unintended consequence of its release to non-authorized users.
- Device (also called Personally-Owned Devices or PODs) – Applies to any hardware and related software that is NOT owned or supplied by SSC, but could be used to access SSC resources. This includes devices that employees have acquired for personal use, but also wish to use in the business environment. It includes any personally-owned device capable of processing, storing, and sharing of SSC data and connecting to a network. Examples of such devices include but are not limited to; desktops, laptops, tablets, smart phones, handheld computers, or other removal media storage devices (i.e., USB drives, Optical drives … etc.).
- Email- The electronic transmission of information through a mail protocol such as SMTP or IMAP in our case is Microsoft Outlook.
- Chain email or letter - Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
- Forwarded email - Email resent from an internal network to an outside point.
- Encryption – A procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.
- Locked - The information technology system account is considered locked when it is no longer available to the user in any capacity.
- Malware– Malicious software typically used as a catch-all term to refer to any software that causes damage to a computer, server, or computer network. The most common types of malware are: viruses, worms, Trojan-horses and spyware
- Backdoor - A malware type that bypasses the College’s computer authentication systems, potentially impacting all computer systems (e.g., desktops, laptops, tablets, servers, etc.).
- Botnet - A malware that is installed on a PC and remotely controlled by the botnet owner to commit cybercrimes.
- Rootkit – Stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
- Spyware - A program that secretly monitors your online activity and sends the data back to the programmer.
- Trojan-horses - An apparently useful and innocent application containing a hidden malicious program.
- Virus - Self-replicating malware requiring a host file that depends on human action to spread it.
- Virus Hoax – Email containing warnings about virus or malware typically with the intent to mislead users.
- Worm - Self-contained malware, needing no host file, which spreads automatically through networks.
- Personal Activities– Activities including but not limited to:
- Using College email, Internet, or other technology for personal endeavors involving social networking, blogs, personal banking accounts, cell phone operators, gaming, online gambling, social media non-work related websites, etc.
- Using College email to send a message that is unrelated to work to contact current or former employees, vendors, agents, or partners.
- Using College email to send or forward massive e-mails to public email systems, such as: Gmail, Yahoo, and Hotmail.
- Using College systems for instant messaging that is unrelated to work to contact current or former employees, vendors, agents or partners.
- Downloading massive non-work related copyrighted materials; software, documents, music, photos, videos, etc. to College information systems or equipment.
- Phishing– An attempt to acquire information such as usernames, passwords, money, and credit card information by masquerading as a trustworthy entity in an electronic communication.
- Phishing website – An attempt to acquire information (such as usernames, passwords, and credit card details) by masquerading as a trustworthy entity in an electronic communication. Phishing websites usually have a name close to the real website name and look like the original website.
- Professional Purposes – Work-related activity that is NOT personal activity.
- Proxy Website (or site) – Generally used to describe a Website that allows you to surf the Internet anonymously or allows you to unblock a Website.
- Removable Media – Devices or media readable and/or writable by the end user and able to be moved from computer to computer without modification to the computer. This includes flash memory devices (such as thumb drives, SD cards, cameras, MP3 players and PDAs); removable hard drives (including hard drive-based MP3 players); optical disks (such as CD and DVD disks; floppy disks and software disks).
- Roles
- Employee Roles - Refers to the computer access provided to employees in order for them to accomplish their duties and responsibilities.
- Instructor Roles - Refers to the computer access provided to employees who teach students.
- Student Roles - Refers to the computer access available to students of the College. Employees who are students of the College are provided with student roles in addition to any employee roles they might be provided in order to accomplish their duties and responsibilities.
- Row Level Security – Specifies the data that a particular user is permitted to access.
- Sensitive information - Sensitive information is information/data that must be protected from unauthorized access to safeguard the privacy or security of an individual or the College. Protection of sensitive information may be required for legal or ethical reasons. Please refer to Procedure 7.0500 Data Classification, Security and Roles to identify the sensitivity of information.
- Social Media- Media designed to be disseminated through social interaction using highly accessible and scalable publishing techniques. Social media uses Internet and web-based technologies to transform how people communicate with one another and receive news, information and entertainment. Types of social media include networks such as Facebook and YouTube but also include blogs and podcasts.
- Social Media Accounts - Accounts or profiles created in social media outlets such as Facebook, Twitter, YouTube, Flickr and LinkedIn.
- Social Media Poster or User - A person submitting content to any social media site that is officially recognized by Seminole State College of Florida.
- Spam – Commonly known as junk email or unsolicited bulk email.
- Threat Mitigation – The use of preventative measures to protect the integrity of the College’s computer systems.
- Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to internal and external constituents unauthorized to receive that information that information. Please refer to Procedure 7.0500 Data Classification, Security and Roles to identify the sensitivity of information.
- Users – All employees who have access to College Information Technology resources via a College-assigned Userid and Password.
Recommended by | Executive Team | Date: | 09/22/2015 |
---|---|---|---|
Approved | President, E. Ann McGee | Date: | 09/28/2015 |
7.0100 Access to Information Technology and Reassignment
Access to Information Technology and Reassignment (Procedure 7.0100)
Date of Revision: | |
---|---|
Authority: | F.S. 1001.64; 1001.65; F.A.C. 6A-14.0261; F.A.C. 6A-14.092 Textbook Affordability; Higher Education Opportunity Act of 2008 |
Date Adopted: | 01/13; 02/18 |
Date of Review: | 12/17 |
Related Policy: | 7.010; 7.020 |
Purpose
To define and outline the procedure for the timely activation of access to the College's information technology systems as it relates to new faculty and staff and those whose work assignment has changed.
Definitions
Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.
Procedure
- User Access
All Seminole State College employees, at the date of hire, will be provided a UserID and password with basic employee security to view his/her self-service benefits and payroll information. Professors and adjunct instructors will be provided instructor security 60 days prior to the beginning of the term the instructor is scheduled to teach.
A password is private information and each User is responsible for safeguarding his/her own password. Passwords to restricted data must not be shared and it is against College Policy and Procedure to use another's Users account. Failure to conform to these restrictions may lead to suspension of UserID or other action as provided by the College’s disciplinary action procedure.
The functional requirements listed in each job description will provide the basis for determining the type of access and the level of security needed by the employee holding that position. Before access to student records is granted, employees must complete an online FERPA Skillsoft module and satisfactorily pass the exam (see Procedure 7.0500 Data Classification, Security and Roles). Professors and adjunct instructors will be required to complete the exam within two weeks after the start of the semester they are scheduled to teach to maintain records access.
Security approval and access to any college sensitive data will require a completed and properly approved online User Access Request Form. Note that if the User requires access to payroll administration, schedule building, or the financials system, the User must attend mandatory training.
Steps to Gain Access to the College’s Information Technology Systems- The hiring department completes all sections of the online User Access Request form for the employee.
- A supervisor from the hiring department approves the form and forwards it to the CTS Security Administrator for processing.
- The Security Administrator sets the User up with the requested access after the FERPA exam has been satisfactorily passed. (see Procedure 7.0500 Data Classification, Security, and Roles).
- The Security Administrator will send the User Access Request to Network for email and network setup. A notification will be sent to the User and the hiring department when access has been established.
- Reassignment and Notification
If a User’s status, job responsibilities, or other related situation changes, the User’s Supervisor must notify the Office of Human Resources as well as CTS, using the appropriate process or form. Such changes may include a change in department, position, supervisor, functional requirements, modifications in the User’s access needs, or even a name change. Such notification should be sent prior to the effective date of the change.
Notification to CTS
The User/Supervisor should complete a new User Access Request Form and follow the steps listed in Section A above to notify CTS and explain the changes needed in the User’s security access.
Within two (2) business days of receiving notice of job assignment change, CTS will review the computer access accounts and take appropriate action which may include removing or reassigning User access; notifying department managers and supervisors; and notifying system functional analysts. CTS will maintain records showing the timely reassignment of employee and Contingent Worker/Person of Interest access to information technology systems.
Recommended by | Executive Team/CAC | Date | 2/20/2018 |
---|---|---|---|
Signed by | E. Ann McGee | Date | 2/22/2018 |
7.0130 Email and Official College Electronic Communication Use
7.0150 Personally-Owned Devices (PODs) for Information Technology
Authority: | F.S. 1001.64; 1001.65; F.A.C. 6A-14.0261 |
---|---|
Date Adopted: | |
Date of Review: | 6/22 |
Related Policy: | 7.010 |
Purpose
To allow College technology users, including but not limited to faculty, staff, administrators, other employees, students, and contractors, to work with personally-owned devices (POD), also known as BYOD (Bring Your Own Device), while maintaining the confidentiality, integrity, and availability of Seminole State College (“SSC”) data and systems. The use of personally-owned devices to access the College’s systems is a privilege that may be revoked at any time, and not a right.
Procedure
- Acceptable Use of Bring Your Own Device (BYOD) or Personally-Owned Device (POD)
This procedure applies to all College technology users, including faculty, staff, administrators, other employees, students, contractors, consultants, and other agents who use a BYOD or POD (see Procedure 7.0001 B.5. for list of PODs) to access, store, backup, or share any of the College’s data or systems. - College Responsibilities
- The College is not responsible for lost, damaged, or stolen PODs. When bringing PODs to the College, it is the owner’s responsibility to ensure that his/her device is secured.
- The College assumes no responsibility for service charges owners might incur while using PODs. This includes, but is not limited to, charges related to data plans, texting fees, and security programs.
- The College will not provide IT support, additional electronic power access, or network drops to support PODs.
- The College provides filtered Internet access and monitors user activity on the College’s network, including sites visited, content viewed, and communications sent and received. The College may monitor network activities identifying suspicious patterns without prior notice or consent.
- In the event of suspected misuse or violation of College policies, procedures, or guidelines regarding access to the network or use of the device, the appropriate Data Custodian (see Procedure7.0500) may examine an owner’s personal device and search its relevant contents.
- When warranted, the College can and will establish audit trails in some situations to track PODs and the resulting reports may be used for investigation of possible breaches and/or misuse. The owner agrees to and accepts that his or her access and/or connection to the College’s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. This is done to identify accounts/computers that may have been compromised by external parties. In all cases, data protection remains the College’s highest priority.
- Employee/Student Responsibilities
With this in mind, POD owners are allowed to bring personal electronic devices into the College. However, when POD owners bring their personally-owned devices, they must follow all of the Acceptable Use of College Technology (Policy 7.010), as well as the following guidelines:- Owner use of PODs within instructional settings should not, in any way, interfere with teaching, learning, or productivity.
- PODs should be silenced in classrooms during class times, as well as, professional gatherings, including staff meetings, professional development sessions, conference calls, and other College events.
- PODs should not impair the security of the College’s network. Owners are expected to maintain up-to-date antivirus and antispyware protection on all devices that are connected to the College’s wireless network or any College server. Devices without up-to-date security programs may be denied access to the network.
- PODs shall not, at any time, be physical connected to the College’s wired network. Only the College’s wireless network may be used for PODs. The only exception to this is when a faculty member has authorization while instructing a class in an existing physical smart classroom.
Recommended by | Executive Team/CAC | Date: | 06/21/2022 |
---|---|---|---|
Approved | President, Georgia L. Lorenz | Date: | 06/22/2022 |
Authority: | F.S. Chapter 119; 1001.64; 1001.65 |
---|---|
Date Adopted: | 09/15 |
Date of Review: | 08/16 |
Date of Revision: | 10/16 |
Related Policies: | 1.160; 7.010; 7.020; 7.050 |
Purpose
The College has specific rules for accessing the Internet and expects all users including students, faculty, staff, and members of the general public, using the College’s Internet service to comply in all respects to institutional and external standards for appropriate use. To ensure compliance with these rules, the College may monitor traffic going out to the Internet without prior notice or consent.
Definitions
Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.
Procedure
The College’s authorized Internet users shall have no expectation of privacy in anything they browse, send or receive when using the College’s Internet service
- Permitted Uses of the Internet:
- The Internet connection provided by the College is primarily for work-related or academic purposes.
- Occasional and reasonable personal use is permitted, provided that personal use should be kept to a minimum and should not interfere with the performance, productivity, or work duties and responsibilities.
- Users will observe professional and ethical guidelines, applicable federal or state laws, and any College procedures.
- Prohibited Uses of the Internet:
Users will not use the College’s Internet to view, download, save, receive, or send material related to or including:- Offensive content of any kind, including pornographic material.
- Promoting discrimination on the basis of race, color, religion, pregnancy, national origin, ethnicity, age, sex, gender, veterans or military status, disability, sexual orientation, genetic information, marital status, or any other protected factor.
- Threatening or violent behavior.
- Illegal activities.
- Commercial messages.
- Gambling of any form or type.
- Personal financial gain.
- Forwarding email chain letters.
- Spamming email accounts for College email services or machines.
- Material protected under copyright laws, including but not limited to MP3 music, movies, and other entertainment files.
- Sending or dispersing without authorization, College restricted, sensitive, or confidential data to students, employees, business associates, or anyone outside the College.
i This does not preclude the strict use for academic or pedagogic purpose of materials that some might deem to be offensive.
Recommended by | Exectutive Team | Date | 10/18/2016 |
---|---|---|---|
Signed by | President E. Ann McGee | Date | 10/26/2016 |
7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees
Authority: | F.S. 1001.64; 1001.65; F.A.C. 6A-14.092 Textbook Affordability; Higher Education Opportunity Act of 2008 |
---|---|
Date Adopted: | 07/01/2006 |
Date of Revision: | 05/09; 08/11; 03/2012; 09/2014; 09/2018; 05/20 |
Related Policy: | 1.020; 5.200; 7.010; 7.020 |
Purpose
To define and outline the procedure for the timely inactivation of access to the College's information technology systems as it relates to employees who are terminating their employment or have breaks in service with the College.
Definitions
Refer to College Procedure 7.0001 Information Technology and Resources – Glossary of Terms for definitions of terms used throughout this procedure.
Procedure
- Notification to the Human Resources Office (HR) of employee terminations. Supervisors are required to notify HR when employees are terminating their employment with the College.
- Full-time Employees - The employee termination notification to HR occurs through the receipt of employee resignation letters, supervisor recommendations for non-renewal of employee contracts, supervisor recommendations for employee dismissals, etc.
- Part-Time Employees - The employee termination notification occurs through the receipt of supervisor emails to HR, employee resignation letters, supervisor recommendations for employee dismissals, etc. In addition, as a secondary measure, to ensure that HR is aware of terminations or breaks in service of part-time employees, HR monitors the dates that employees are last paid. This is accomplished through the review of monthly reports from the Human Resources system. Part-time employees can stay in active employment status for up to four months beyond their last date paid at which time, the Human Resources department will enter termination information in the system.
- Notification to the Computer and Telecommunication Systems department (CTS) of employee terminations.
- HR or Supervisors notify CTS, through the College's electronic mail system, of employee terminations within two business days of receiving the termination notice or of making the determination by the method of monitoring when part-time employees were last paid, as indicated above. In addition, a termination action entered in the system by HR, will trigger the inactivation process.
- Inactivation of Employee Access to the College's Information Technology Systems
- Within two business days of receiving electronic notice of employee terminations, CTS reviews the security assigned and removes any non-self-service access.
- CTS determines what changes need to be made regarding access to the College's information technology systems by following these steps:
- All student roles remain active but all non-self-service roles are removed. Therefore, terminating employees who are students of the college are allowed access through their Student Roles and, if applicable, their view only self-service roles.
- Determine whether the Professor or Adjunct instructor has completed the FERPA training in the period specified in Procedure 7.0100. If they have not, the instructor may be subject to discipline up to and including termination.
- For Retirees, please refer to procedure 2.4600 Retiree Benefit Program, for additional information regarding access to the College’s information technology systems.
4. Evidence of Timely Inactivation of Access to the College's Information Technology Systems
- CTS maintains records that show evidence of the timely inactivation of employee access to the information technology systems.
Recommended by: | Executive Team/CAC | Date | 11/17/2020 |
---|---|---|---|
Signed by: | President, Georgia L. Lorenz | Date | 12/1/2020 |
7.0400 Information technology Security Awareness
Purpose
To ensure that the College community is aware of Seminole State College’s security policies and acceptable use of Information Technology resources.
Definitions
Users – All employees who have access to College Information Technology resources via a College-assigned Userid and Password.
Procedure
Security Awareness Statement:
- A hard copy of the College's Acceptable Use of Information Technology Policy 7.010and the Security Awareness Statement will be distributed to each employee attending new employee orientation.
- Key points of the policy will be communicated to attendees and their questions addressed during the orientation session.
- Computing & Telecommunications Services (CTS) will send an electronic communication to all computer users each year during the Fall Term requesting acknowledgement of the Security Awareness Statement.
- CTS will send follow up electronic communication to unresponsive users and their supervisor will be copied on this e-mail, expecting timely acknowledgment of the policy.
Recommended by | Executive Team | Date | 10/16/2012 |
---|---|---|---|
Approved | President, E. Ann McGee | Date | 10/19/2012 |
7.0500 Data Classification, Security and Roles
Authority: | Family Educational Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act of 1999 (GLBA); Health Insurance Portability and Accountability Act (HIPAA) of 1996; F.S. 119.01; 257.36; 1001.64; 1001.65 |
---|---|
Date Adopted: | 01/13 |
Date of Review: | 08/16 |
Date of Revision: | 10/16 |
Related Policies: | 7.010; 7.020 |
Purpose
Seminole State College provides valuable technological resources to support educational activities and administrative functions. These resources, including computing systems and software, as well as internal and external data, voice, and video networks, are relational and shared resources. To preserve these resources for the common good, the College expects all users, including students, faculty, staff, administrators, other employees, and members of the general public using Seminole’s information technology resources, to comply in all respects with institutional and external standards for their appropriate use.
Procedure
- Data Classification
- Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
Data Category Description Examples Restricted Data protected by law or regulation whose improper use or disclosure could:
- Adversely affect the ability of the College to accomplish its mission
- Lead to possibility of identity theft by release of personally identifiable information of College constituents
- Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
- Put the College into a state of non-compliance with contractual obligations
- Social security numbers
- Grades
- Financial aid data
Sensitive - Data that Data Managers have decided NOT to publish or make public
- Data protected by contractual obligations.
By default, ALL INSTITUTIONAL DATA
are classified as SENSITIVE
- Purchasing data
- Information covered by non-disclosure agreements
Public - Low level of sensitivity
- Data that the general public may be granted access to in accordance with Florida Statutes Chapter 119 Public Records and FERPA
- Directory information
- Academic course descriptions
- Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
- Data Security
- Data in Restricted, Sensitive and Public categories require security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the College, result in financial loss, or violate law, policy or College contracts.
- Security access by employees of the College will be implemented in compliance with FERPA requirements as follows:
- FERPA makes it clear that school officials with legitimate educational interests may be given access to personally identifiable information about students.
- A person employed by the College in an administrative, counseling, supervisory, academic, student affairs, research position, or a support person to these positions may be granted access to FERPA-protected data when that data is relevant to the accomplishment of assigned duties or a determination about a student.
- Persons must complete an online FERPA module and satisfactorily pass an exam prior to classes starting before security approval and access to student records will be granted. An exception may be provided for new faculty and adjunct instructors in their first term, if they complete the module and exam within two weeks after the start of the semester to maintain security access.
- Security measures for data are set by the Data Custodian, working in cooperation with the Data Stewards, as defined below. The following roles and responsibilities are established for carrying out data policy:
- Security Roles and Responsibilities
- The functional requirements listed in a job description determine the type of data and the level of system access an employee will need to perform his/her job. These requirements are used to develop and assign a specific User Profile and Security Role to the employee. When implemented, the User Profile and the Security Role provide the employee with access needed to perform his/her job while maintaining the security and integrity of College data. CTS is responsible for maintaining a list of security access assigned to each employee.
- Data Trustees, Data Stewards, and Data Custodians
Data Trustees, Stewards, and Custodians are responsible for establishing and carrying out College data policy. They will:- Implement the security plan.
- Ensure that users receive the appropriate access to the system.
- Resolve functional security issues as well as troubleshoot custodial security problems.
- Assure cross-functional security compatibility.
- Audit security compliance regularly.
- Review and update the security plan regularly.
- Data Trustee (Administrator)
Data Trustees are senior College officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning Data Stewards, participating in establishing policies, and promoting data resource management for the good of the entire College.Data Trustees Data Type President
All College Data
Chief Financial Officer
Financial Data and HR Data
Chief Information Officer
Information Technology Data
Chief Student Affairs Officer
Student Data
- Data Steward (Approver)
Data Stewards are College officials having direct operational-level responsibility for information management – usually department directors. Data Stewards are responsible for data access and policy implementation issues.Data Stewards Data Type Associate Director, Payroll Services
Payroll, Time and Labor; Payroll, Time and Labor Setup Tables
Associate Director, Student Accounting
Student Financials Data, Student Financials System Setup
Associate Vice President, Financial Services
Financial Data, Financial Data Setup Tables
Associate Vice President, Human Resources
Human Resources Data, Human Resources Setup Tables
Associate Vice President, Information Technology and Resources
Information Technology, Data Correction
Director, Curriculum, Credit and Academic Scheduling
Curriculum, Instructor and Scheduling Information, Associated System Setup
Director, Enrollment Services/Registrar
Student Data (including Counseling, Admissions, Testing, and Enrollment Services), System Setup for Student Data, Row-Level Security
Director, Facilities
Maintenance Management Data, Maintenance Management Setup
Director, Student Financial Resources
Student Financial Aid Data, Student Financial Aid System Setup
- Data Custodian (Owner)
The Computing and Telecommunication Services Department (CTS) is the Data Custodian. The Custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
Data Custodians include:
VP, Information Technology and Resources/CIO
Associate Vice President, Information Technology and Resources
Director, Network and User Support Services - Data User (User)
Most College Faculty and Staff are assigned the role of “Data User.” Data Users are individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
Detailed information regarding User access and inactivation is located in:
Procedure 7.0100 Access to Information Technology and Reassignment, and
Procedure 7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees.
- Security Review
- Each Data Steward will conduct an annual data security review. In addition, CTS will conduct an annual review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the College community on information technology security and privacy issues. CTS will assure that procedures and responses are appropriately reflective of those widely practiced at other colleges.
- Confidentiality
- Confidentiality of data and/or records subject to this procedure shall be determined in accordance with State and federal laws including, but not limited to, Florida’s Public Records Act, Chapter 119, Florida Statutes, and the Family Educational Rights and Privacy Act (FERPA).
- Confidentiality Agreement
Seminole State College maintains information that is sensitive and valuable. Such information is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. The exposure of such information to unauthorized individuals could cause permanent harm to the College or members of the College community. All employees are expected to sign the Confidentiality Agreement (at the end of this document) before access can be granted to College restricted data.
Recommended by | Executive Team/CAC | Date | 09/18/18 |
---|---|---|---|
Signed by | President Georgia Lorenz | Date | 09/27/18 |
Confidentiality Agreement
I understand that student, employee, and financial information from any source and in any form, may be confidential and is available to me solely for the performance of my official duties as a Seminole State College employee. I will protect the privacy and confidentiality of student, employee, and financial information to which I have access in accordance with State and Federal records/privacy laws as well as College policy and procedures, and will use it solely for the performance of my official duties, whether on or off site. I also understand that I may have the ability to access student information outside my unit of responsibility, but will only utilize that access as it applies to my unit of responsibility.
I Further Agree That:
- I will only access information I need to do my job.
- I will protect the privacy of student, employee, and financial information.
- I will keep my password secret and I will not share it with anyone, including family members.
- I will log off any password-protected application before leaving my workstation. This includes my personal computer while working at home.
- I will tell my supervisor if I think someone knows or is using my password.
- I will not show, tell, copy, give, sell, review, change, trash or otherwise utilize any confidential information except as it relates to my job. If it is part of my job to do any of these tasks, I will follow the correct department procedure (such as shredding confidential papers before throwing them away).
- I will not misuse or be careless with confidential or sensitive information.
- I will not use anyone else’s password.
- I will not share any confidential or sensitive information even if I am no longer a Seminole State employee.
- I will tell my supervisor if I think someone else is violating this agreement.
- I am responsible for actions that result when I gain access using my password.
- I am responsible for my use of confidential information.
- I am responsible for my failure to protect my password or access to confidential information.
- I know that my access to confidential information may be audited.
- I know that confidential information I learn on the job does not belong to me.
- I know that Seminole State may take away my security access at any time.
Failure to comply with this agreement may result in disciplinary action regarding my employment at Seminole State College and/or civil or legal penalties. By signing this Agreement, I agree that I have read, understand, and will comply with it.
_______________________________ __________________ Employee Signature Date