- Chattanooga State Community College relies heavily on its electronic data processing systems and the data stored in them to meet its educational, informational and operational needs. College students and staff rely on the security of the computer systems to protect instructional, research, personal, operational and other sensitive data maintained in those computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them are accessed and maintained in a secure environment.
- The standards described herein are those ChSCC intends to use in the normal operation of its computing systems and facilities. This document does not waive any claim that the College may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems. Network requirements and standards are covered in another ChSCC policy. Further data handling restrictions can be found in ChSCC Policy 08:21 Red Flag and Identity Theft Prevention Program.
- This policy functions as data and computing standards and provides data security classifications for ChSCC (the College) data. This policy describes specific required capabilities in electronic communications systems and also specifies how ChSCC data (including PCI and Identity Theft protected data) is to be secured, managed, retained, and disposed of.
- The scope of this policy includes all ChSCC staff, (including contractors and student workers), faculty, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data. The scope also includes all data created and maintained by the College, (i.e. student, research, financial, payroll/personnel, etc.) except where superseded by grant or other contracts, or by federal Copyright Law, regardless of the medium on which it resides (e.g., paper, fiche, in electronic form on tape, cartridge, disk, CD-ROM, or hard drive, etc.) and regardless of form (e.g., text, graphics, video, voice, etc.) Included in the scope are all computer systems owned, leased or maintained by the College. This includes: microcomputers/PCs, servers, various peripheral equipment including, but not limited to, printers and modems; and all Web pages and applications contained on College equipment or disseminated via College resources.
Data Security and Classification Requirements:
- College data, regardless of its medium and/or form, shall meet the following requirements. At a minimum, data shall be classified as public or confidential, be appropriately secured and not accessible to non-approved users when not in use. (Refer to Responsible Use Policy, IT Policy 08.14)
- Made secure against unauthorized creation, updating, processing, outputting, and distribution.
- The decision on handling and classification is determined from three separate and distinct areas:
- Data identification -What is the institutional risk if the data is lost, stolen, or provided to unauthorized person?
- Data integrity -What is the institutional risk and impact on the institution should the data not be trustworthy?
- Data availability What is the impact on the institution should the data not be available for some period of time?
Access to Data:
- Data will be accessed, used and disposed of in a manner commensurate with the data's classification and will be disseminated by officially designated offices only in accordance with ChSCC policies and procedures. All computer access granted to an authorized user will be removed when that user terminates employment, graduates, or withdraws from the College.
- Access to Public institutional data may be granted to any requester and/or it is published with no restrictions. Public data is not considered sensitive. The integrity of "Public" data should be protected, and the appropriate department or unit must authorize replication or copying of the data in order to ensure it remains accurate over time. The impact on the institution should public data not be available is typically low, (inconvenient, but not debilitation). Examples of "Public" Data include published "whitepapers", directory information, maps, department websites, and academic course descriptions. This data may be made generally available without specific data custodian approval.
- Access to confidential, internal, non-public institutional data must be requested from, and authorized by, the department or unit who is responsible for the data. Access to this type of internal data may be authorized to individuals based on job classification or responsibilities (role-based access), and may also be limited by ones' employing unit or affiliation. Some confidential information is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. The impact on the institution should confidential data not be available can be from moderate to very high, depending on the information. Examples of the types of data that would moderate impact include project information, official college records such as financial reports, human resources information, some research data, unofficial student records
- (including grade books without SSNs), and budget information. Examples of confidential data that if lost, corrupted or unauthorized disclosure occurred, could result in business, financial or legal loss include: official student grades and financial aid data, social security and credit card numbers (PCI Compliance information), and individuals' health information. (See ChSCC IT Policy 08:14 Responsible Use and 08:15 Security Incident Response for reportable situation requirements based on TBR Policy B-080 and 08:20 Red Flag and Identity Theft Prevention Program.)
Data Security, Management, Retention, and Disposition Requirements:
- ChSCC departments should not use, store, or display confidential data, identifying data, sensitive personal data, or PCI protected data, including Social Security Numbers (i.e., SSNs) unless required by law and then only within the requirements of this policy and federal/State/TBR policies. These types of data should not be stored on a PC or Laptop, unless at least one of the following security recommendations is met.
- The data is only stored on an encrypted hard drive.
- The data is not stored on the PC or laptop, but stored on a server located in a secure area, that is protected for the required level of data access.
- The data is stored on an encrypted removable drive such as an encrypted USB flash drive that is secured when not in use.
Requesting Banner Confidential/Protected Data Access for Staff or Faculty:
- Only the specified owners of Confidential/Protected data can authorize access to the data under their control. A process is in place to handle requests for access and subsequent authorization, including requests for report data. If you have an employee that requires access for Banner Confidential/Protected data, refer to ChSCC IT Policy 08:17 Computer Access. In order to ensure employees only have the access that is needed to perform current job duties, if an employee changes jobs within ChSCC, current access of that employee will be disabled, and new access requests are required.
User's Responsibility to Protect the Data:
- The best way to ensure data is kept secured is the user's dedication to protecting that data. Users should collect, distribute, and retain only the minimal amount of personal and protected data that is related to your business needs and/or assigned tasks. Ensure you delete personal and protected information when there is no longer a business need for its retention. When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy. Always comply with existing College policies/standards regarding the handling of Confidential/Protected data (e.g., do not leave data exposed on desks or on computer screens left unattended; properly store and/or dispose of data, etc.)
Supervisor's Responsibility to Protect the Data:
- Supervisors have a special duty to protect ChSCC data and that is only request staff access to personal and protected data as needed to perform assigned duties. Review access lists on a periodic basis and if someone changes jobs, or otherwise impacts their requirement of access to protected data, ensure the Computer Center is notified so that requirement requests can be kept up-to-date. Design reports, database systems, etc., so that personal and protected information can be identified. Be aware of who is working with protected data and ensure that unauthorized individuals do not have access to the data. Be prepared to supply information needed (e.g., name, address, email) and to notify impacted individuals if a data security breach occurs. (See ChSCC IT Policy 08:15 Security Incident Response)
Confidential/Protected Data Requirements:
- This type of data requires that an audit trail be in effect that monitors access and modification, and is appropriately backed up to allow for recovery. Data stored on servers maintained by Computer Services will be backed up based on customer requirements documented on the Roles and Responsibilities Service Level Agreements. Data transmitted over any communication network shall be transmitted in encrypted form or other appropriate and equally secure method. This level of data will only be accessible on the WWW with the permission of the appropriate College data custodian. WWW access to such data shall be secured in a manner that is commensurate with the classification and confidentiality of the data contained on the page/publication.
- Passwords are required on all computer systems (e.g., desktops, laptops, PDAs, etc.) in which Confidential or Protected data is stored or maintained or have access to College networks. (See ChSCC IT Policy 08.13 Computer Passwords.) Appropriate hardware and software security (e.g., cable lockdowns, password access control, data compression and encryption, audit log of access, updates, etc.) shall be placed on all microcomputers/PCs and transportable computers which have Confidential/Protected data stored in them (i.e., on the local drive).
Outside ChSCC access:
- Vendors, contractors, consultants and external auditors needing access to College data must read and acknowledge in writing that their firm has read, understood and will comply with all College data and computing guidelines/standards. Vendors will be assigned a CHSCC escort as needed by the department requiring the access.
Computer System and Resource Security Requirements before Installation:
- Computer system and resource security requirements or a documented, equivalent compensating control shall be documented and implemented in according with ChSCC Information Technology Policies. Specific controls required to be in place before a system, application, tool, etc., is considered ready to be installed as production include:
- All vendor-supplied default passwords are changed before any computer or communications system, printer, copier, fax machine or other equipment is used for College related business. (See ChSCC IT Policy 08.13 Computer Passwords for complete details.)
- Authorized user logon ids/operator ids on administrative and research computer systems are inactivated or an authorized user's access connection is immediately terminated if the authorized user does not provide a correct password after five (5) consecutive attempts. (See ChSCC IT Policy 08.13 Computer Passwords for complete details.)
- Passwords or pin numbers used to protect access to College data are not hard-coded into software/source code developed by ChSCC staff or students.
Hardware Physical/Environmental Requirements:
- When technically and reasonably possible, workstations, personal computers, transportable computers and printers housed in unsecured public areas (e.g., student labs, libraries, etc.) should be physically secured, as needed to provide protection from theft and/or modification. All workstations and microcomputer/PC systems are outfitted with uninterruptible power supply (UPS) systems, electrical power filters, or surge suppressers, as appropriate in order to prevent damage.
- Master copies of software, to the extent consistent with applicable licenses and laws, shall be stored in a safe and secure location. These master copies shall not be used for ordinary business, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.
- Proper disk maintenance practices are followed (e.g., clearly label back up data, application and operating system diskettes; store away from extreme cold/heat; protect from dust, excessive moisture or water; keep away from magnetic devices including radios, telephones, keys, wall magnets, etc.) When disposing (e.g., recycling, salvaging, transferring ownership to another party, etc.) of microcomputer/PC hard disks, the hard disks should be wiped to make the data irretrievable.
References: These Standards comply with and are based on the laws of the United States, State of Tennessee, Tennessee Board of Regents, and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy, confidentiality, security and use of data, and the use and security of computer systems and data including:
1. The Department of Education "Family Educational Rights and Privacy Act of 1974" (as amended), 34 CFR, Part 99 2. Payment Card Industry (PCI) Compliance, 07/01/2001 3. Tennessee Board of Regents Guideline B-090 Gramm-Leach-Bliley Act, Safeguarding of Customer's Nonpublic Financial Information. 4. Tennessee Board of Regents Guideline G-070 Disposal of Records - RDA2161. 5. Tennessee Board of Regents Guideline B-80
If this Guideline conflicts with federal or state statute, the applicable statute shall apply.
Additionally, other College Policies, Guidelines, Standards and/or campus procedures may
impose certain restrictions that are not specifically covered by state and federal statue or
6. Chattanooga State Community College IT Policy 08.13 Computer Passwords
7. Chattanooga State Community College IT Policy 08:14 Responsible Use
8. Chattanooga State Community College IT Policy 08:15 Security Incident Response
9. Chattanooga State Community College IT Policy 08:17 Computer Access 10. Chattanooga State Community College IT Policy 08:20 Red Flag and Identity Theft Prevention Program