08:17:05 Information Technology Services
- Information Technology Services (ITS) is responsible for providing access to computer systems the data stored in them. College students and staff rely on the security of the computer systems to protect instructional, research, personal, operational and other sensitive data maintained in those computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them are accessed and maintained in a secure environment.
- This document does not waive any claim that the College may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems. Network requirements and standards are covered in another CHSCC policy.
- This policy establishes a process and procedure used to request initial computer access and computer set-ups for new employees. The policy is the high level support for all security access requests and the procedures/processes that are used to ensure access is granted only as authorized. The policy establishes access review between data owner and Information Technology Services (ITS) to ensure access is limited to only those individuals requiring access to perform their job duties. This policy also provides support for electronic mail initial set-up, storage limits, and archival of email (non-record.)
- The scope of this policy includes all full time College staff and faculty, adjuncts, contractors, vendors and student workers.
- Access Requests:
- There are two separate types of access a new employee might need to perform their job. They include the basic computer set-up and special access set-up. For specific "How to..." procedure and process requirements for all hiring situations and for "How to Request Adjunct Continued ITS Access" please go to the ITS Web Page and click on Access Requests. https://itservices.chattanoogastate.edu/. Access processes for all Banner data requiring special access permissions are also located in the same area.
- Training is required for both.
- Basic - Basic computer set-up includes: access to Exchange - CHSCC's email system, TigerWeb and Self-Service Banner access, staff wireless access and standard desktop computer set-up, and/or any required Information Technology (IT) equipment, i.e. desktop, laptop, and/or phones.
- Special - If a new employee, or an employee that has changed job, also require special Internet Native Banner (INB) access, ARGOS reporting capability or BDMS to fulfill job duties, this type of access must be requested the through the appropriate process located on ITS web site.
- Training Requirements
- FERPA training acknowledgement as required by TBR guidelines will be handled through ChSCC Student Services.
- New employees should attend the "Introduction to CHSCC Computer Systems" course within 30 business days of hire. Please call the computer training coordinator at ext. 2581 to set up the training.
- All employees that work with PCI data will have to take annual PCI training. This training is on-line and requires a specific score on a test before they can start/continue working with PCI data.
- Electronic Mail
- Electronic Mail (email) is provided to faculty/staff and students through Microsoft Office 365 and is hosted in the cloud environment. ITS does not manage email stored at Office 365 and no emails are archived at an Enterprise level (except those considered records by the individual user - see 5.1.c below.)
- The following are guidelines for email support:
- Individual users are responsible for the maintenance of their "cloud" email storage. Recovery of
- deleted emails, managing space, etc., is the responsibility of the individual user. If email is deleted
- from email account in the cloud, ITS cannot recover the email
- Individual users will review ChSCC 08:16 Data Security Policy for details on protection of confidential
- data, identifying data, sensitive and/or personal data, or PCI protected data before inclusion within an email.
- Social Security Numbers, (SSNs) are never included within an email, unless fully encrypted.
- The official cloud hosting site for ChSCC emails is Office 365.
- If an email contains record information and needs to be retained, please consult TBR Guideline G-70,
- Disposal of Records and your supervisor, advisor or Dean. ChSCC' S record retention system is the BDMS system.
- Changing or Removing Access:
- Supervisors for employees, contractors, etc., that are leaving CHSCC for any reason, or are changing jobs within ChSCC should notify ITS as soon as possible, to ensure security access is removed on the date the employee leaves or changes jobs. Any user account will be disabled after one (1) year of inactivity.
- ITS 08:16 Data Security Procedure provides guidelines to requests for additional access due to an employee changing jobs, receiving a new supervisor, etc., or any change that could impact access requirements will require completion of new forms.
- Changing or Removing Access for Contract Workers:
- Anyone on a contract will have access limits set to disable upon last day of the contract, unless action is taken to continue access by supervisor. All vendors that require access must follow the same process for ChSCC employees. Vendor access will be disabled as soon as their work has been completed. For instructions on adjunct continuing access, please go to the ITS web Page, Access Requests https://itservices.chattanoogastate.edu/forms.php.
- Any user account will be disabled after one (1) year of inactivity.
- Emergency Access Removal:
- Emergency access removal requests can only be authorized by employee's Vice President, Vice President of HR, or the President of the College. To initiate the emergency access removal process, notify the Assistant VP of ITS or the Director, Systems Development and Operations. Once notified, requester will be contacted to ensure exactly what needs to take place and when.
- Access will be removed upon stated date for emergency access removal. Access to Exchange email will only be disabled initially. Disabling the account allows the supervisor or others, as necessary, to have access to the emails, etc., if required. ITS will work with designated individuals to determine when the email box, etc., can be deleted.
- Special INB Access Reviews:
- ITS will contact each individual data owner responsible for approving special access authorizations for access reviews at least annually. Notification received by ITS through official channels concerning personnel changes that impact access will be shared with appropriate data owners to ensure access lists stay current between data owners and ITS.
- Access to Forms:
- Supervisors can find detailed instructions on initiating access workflow processes by accessing the ITS Web Page and click on Processes. https://itservices.chattanoogastate.edu/.
1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008
2. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00
3. Tennessee Board of Regents (TBR) G-070 Disposal of Records
4. Tennessee Board of Regents (TBR) Guideline G-075 Litigation Hold Notice procedures for Federal Litigation (Federal Rules of Civil Procedure)
Approved Rev 5:
Approved Rev 5:
Dr Flora Tydings, President, 8/25/2016
Reviewed and Revised by: Information Technology Services, 09/30/08
Reviewed and Revised by: Information Technology Services, 03/27/09 No updates required
Reviewed and Revised by: Information Technology Services, 06/01/10 No updates required
Reviewed and Revised by Information Technology Services, 12/1/2011 Rev 3 Reviewed and Revised by Information Technology Services, 05/7/2012 No Updates Required
Reviewed and Revised by Information Technology Services, 05/7/2014 Rev 4
Reviewed and Revised by Information Technology Services, 11/17/2015 Rev 5
Revision 5 Changes
Pages All. Computer Services was changed to reflect new name of Information Technology Services.
Page1. Section - Purpose. Added the following statement, "This policy also specifies electronic mail initial set-up, storage limits, and archival of email (non-record.)
Page 2 Section 4.3 - Payment Card Industry. All employees that work with PCI data will have to take annual PCI training. This training is on-line and requires a specific score on a test before they can start/continue working with PCI data.
Page 2. Section - 5 - Electronic Mail: Complete section was replaced. Office 365 cloud storage was added to replace on-site storage of email and Electronic Vault.
Page 3. Section - 7 - Changing or Removing Access for Contractors. Complete section was added to reference workflow process located on ITS Web Page.
Page 1-5 All Sections - Renumbered due to new sections being added.