08:17:01 Computer Access
- Introduction: The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect instructional, research, personal, operational and other sensitive data maintained in computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them are accessed and maintained in a secure environment. This document does not waive any claim that the College may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems. Refer to TBR Policy 01:08:03:00 Access Control for specific guidance.
- This policy covers all full time College staff and faculty, adjuncts, contractors, vendors, temporary workers, student workers and any other authorized users who are permitted access to College systems or data.
- Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
- User access to data at Chattanooga State will be controlled based on requirements of individual accountability, need to know and least privilege.
- For specific "How to..." procedures and process requirements for all hiring situations and for "How to Request Adjunct Continued IT Access" please go to the Technology web page and click on Access Requests. Access processes for Banner data requiring special access permissions are also located in the same area. Any specific training required for access due to job requirements should be discussed with assigned supervisor.
- User identification and authentication requires a combination of a personal user login ID and a unique password for all users before they are allowed access to institutional networks and systems. Everyone, students, faculty, staff, adjuncts, contractors, vendors, etc., that require access is provide an individual user-id and password. At ChSCC, this is referred to as your Tiger ID and password.
- All user access must be authenticated. Requirements for audit purposes require that actions taken on a computer system be traced back to a specific user-id. All users of security systems must be accurately identified, a positive identification must be maintained throughout the login session and actions must be linked to specific users.
- Having specialized system access is determined by specific requirements for certain roles. This level of access is limited to ensure protection of data and computer systems and to ensure business processes are kept intact. Access is audited with data owner on an annual basis.
- Electronic Mail (email) is provided to faculty/staff and students through Microsoft Office 365 and is hosted in the cloud environment. Individual users are responsible for the maintenance of their email account.
- One TB of storage is provided for each One Drive account.
- Individual users should review 08:16:00 Data Security and Controls for details on protection of confidential data, identifying data, sensitive and/or personal data, or Payment Card Industry (PCI) protected data before inclusion within an email. Social Security Numbers, (SSNs) are never included within an email, unless fully encrypted.
- If an email contains record information and needs to be retained, please consult TBR Policy 1:12:01:00 Records Retention and Disposal of Records, your supervisor, advisor or Dean. Chattanooga State's record retention system is the Banner Document Management System (BDMS).
- Supervisors of employees, contractors, temporary workers etc., who are leaving Chattanooga State for any reason or are changing jobs within Chattanooga State, should follow HR guidelines to ensure Technology Division is notified as soon as possible, to ensure all security access, including Banner, VPN, Argos, Office 365, etc., is removed on the date the employee leaves or changes jobs. If an individual is changing jobs within ChSCC, the gaining supervisor will need to request access to ensure that only needed access for the new job is given.
- All faculty and staff will have all technology access disabled upon the date provided on termination/retirement/etc., paperwork. The account will be deleted if inactive for 3 years.
- Adjunct faculty access can be continued by following the continued access work flow process. This is an automated workflow process. For instructions on adjunct continuing access, please go to the Technology Web Page, Adjunct Continuing Access Requests. Adjuncts not marked as needing continuing access will have accounts disabled and deleted if inactive for 1 year.
- Student accounts will be deleted after one year if the student never actually attends Chattanooga State.
- Those individuals that are on "contract", i.e., contractors, vendors, etc., will be set to be disabled upon last day of the contract. Requesting supervisors for vendor access must submit a new service request if the access must be extended. These type of user accounts will be deleted after one year of inactivity, unless notified.
- Emergency access removal requests can only be authorized by the employee's Vice President, Executive Director of HR, or the President of the College. To initiate the emergency access removal process, notify the Technology Division Vice President or Executive Director of Information Management. Once notified, the requester will be contacted to ensure exactly what needs to take place and when.
- Access will be removed upon stated date for emergency access removal. Access to Exchange email will only be disabled initially. Disabling the account allows the supervisor or others, as necessary, to have access to the emails, etc., if required. Technology will work with designated individuals to determine when the email box, etc., can be deleted.
- To protect data from unauthorized viewing or to prevent someone hacking into someone else's account computer access will be automatically locked if the computer is inactive for a specific time. Logging out each time you are done with an application is the best way to protect your data from being stolen.
- All teacher stations will have system "sleep" mode enabled after 60 minutes of inactivity.
- All staff/faculty desktops and/or laptops will have system "sleep" mode enabled after 10 minutes of inactivity.
- All labs or student use desktops/laptops will have system "sleep" mode enabled after 10 minutes of inactivity.
- To re-enable the system, simply enter your password on the screen.
- Persons in violation of this policy are subject to a range of sanctions determined and enforced by institution management, including the loss of computer access privileges, disciplinary action, dismissal from the institution, and legal action. Some violations may constitute criminal offenses, per Tennessee and other local and federal laws. The College will carry out its responsibility to report such violations to the appropriate authorities.
State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:01, 12/15/2016
Tennessee Board of Regents (TBR) Policy 1:08:03:00 Access Control, 5/14/2019
Tennessee Board of Regents (TBR) Policy 1:12:01:00 Record Retention and Disposal of Records, 5/14/2019
Chattanooga State Community College Technology Division Policy 08:16:00 Data Security, 10/24/2017
Submitted to Policy Review Committee on September 16, 2019
Submitted to Policy Review Board on October 21, 2019
Approved by Policy Review Board on October 30, 2019
See Previous Version(s):
Submitted to Policy Review Committee on October 24, 2018
Submitted to Policy Review Board on November 30, 2018
Approved by Policy Review Board on December 6, 2018
Approved: President's Cabinet, 02/12/2012 rev 4
Reviewed and Revised by Computer Services, 12/1/2011 rev 3
Reviewed and Revised by: Computer Services, 06/01/10 No updates required
Approved: Executive Staff, 05/20/09 and President's Cabinet, 05/20/09 rev 1
Reviewed and Revised by: Computer Services, 03/27/09 No updates required
Reviewed and Revised by: Computer Services, 09/30/08