08:17:01 Computer Access
- Introduction: The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect instructional, research, personal, operational and other sensitive data maintained in computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them are accessed and maintained in a secure environment. This document does not waive any claim that the College may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems. Refer to TBR Policy 01:08:03:00 Access Control for specific guidance.
- This policy covers all full time College staff and faculty, adjuncts, students, contractors, vendors, temporary workers, student workers and any other authorized users who are permitted access to College systems or data.
- Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
- User access to data at Chattanooga State will be controlled based on requirements of individual accountability, need to know and least privilege.
- Access privileges shall be controlled based on the following criteria, as appropriate:
- Identity (user-ID);
- Role or function;
- Physical or logical locations;
- Time of day/week/month;
- Transaction based access;
- Access modes such as read, write, execute, delete, create, and/or search.
- For specific “How to…” procedures and process requirements for all hiring situations and for “How to Request Adjunct Continued IT Access” please go to the Technology web page and click on Access Requests. Access processes for Banner data requiring special access permissions are also located in the same area. Any specific training required for access due to job requirements should be discussed with assigned supervisor.
- User identification and authentication requires a combination of a personal user login ID and a unique password for all users before they are allowed access to institutional networks and systems. Everyone, students, faculty, staff, adjuncts, contractors, vendors, etc., that require access is provide an individual user-id and password. At ChSCC, this is referred to as your Tiger ID and password.
- All user access must be authenticated. Requirements for audit purposes require that actions taken on a computer system be traced back to a specific user-id. All users of security systems must be accurately identified, a positive identification must be maintained throughout the login session and actions must be linked to specific users.
- Having specialized system access is determined by specific requirements for certain roles. This level of access is limited to ensure protection of data and computer systems and to ensure business processes are kept intact. Access is audited with data owner on a reocurring basis.
- Electronic Mail (email) is provided to faculty/staff and students through Microsoft Office 365 and is hosted in the cloud environment. Individual users are responsible for the maintenance of their email account.
- One TB of storage is provided for each One Drive account.
- Individual users should review 08:16:00 Data Security and Controls for details on protection of confidential data, identifying data, sensitive and/or personal data, or Payment Card Industry (PCI) protected data before inclusion within an email. Social Security Numbers, (SSNs) are never included within an email, unless fully encrypted.
- If an email contains record information and needs to be retained, please consult TBR Policy 1:12:01:00 Records Retention and Disposal of Records, your supervisor, advisor or Dean. Chattanooga State’s record retention system is the Banner Document Management System (BDMS).
- Supervisors of employees, contractors, temporary workers etc., who are leaving Chattanooga State for any reason or are changing jobs within Chattanooga State, should follow HR guidelines so that Technology Division is notified as soon as possible, to ensure all security access, including Banner, VPN, Argos, Office 365, etc., is removed on the termination date. If an individual is changing jobs within ChSCC, the current supervisor of the individual changing jobs needs to submit a Technology Service Request to remove any system access or job required access (share drives, etc.). The gaining supervisor will need to request access to ensure that only needed access for the new job is given.
- All faculty and staff will have all technology access disabled upon the date provided by HR on termination/retirement/etc., paperwork.
- Adjunct faculty access can be continued by following the continued access work flow process. This is an automated workflow process. For instructions on adjunct continuing access, please go to the Technology Web Page, Adjunct Continuing Access Requests. Adjuncts not marked as needing continuing access will have accounts disabled on specific dates set within the Adjunct Continuing Access system.
- Student accounts will be disabled after two years after inactivity.
- Those individuals that are on “contract”, i.e., contractors, vendors, etc., will be set to be disabled upon last day of the contract. Requesting supervisors for vendor access must submit a new service request if the access must be extended. These type of user accounts will be disabled after one year of inactivity, unless notified.
- Emergency access removal requests can only be authorized by the employee’s Vice President, Executive Director of HR, or the President of the College. To initiate the emergency access removal process, notify the Technology Division Vice President or Executive Director of Information Management. Once notified, the requester will be contacted to ensure exactly what needs to take place and when.
- Access will be removed upon stated date for emergency access removal. Access to Exchange email will only be disabled initially. Disabling the account allows the supervisor or others, as necessary, to have access to the emails, etc., if required. Technology will work with designated individuals to determine when the email box, etc., can be deleted.
- To protect data from unauthorized viewing or to prevent someone hacking into someone else’s account computer access will be automatically locked if the computer is inactive for a specific time. Logging out each time you are done with an application is the best way to protect your data from being stolen.
- All teacher stations, in labs and classrooms, will have system “sleep” mode enabled after 60 minutes of inactivity.
- All staff/faculty desktops and/or laptops will have system “sleep” mode enabled after 10 minutes of inactivity.
- All labs or student use desktops/laptops will have system “sleep” mode enabled after 10 minutes of inactivity.
- Kiosk systems do not have sleep mode enabled.
- Persons in violation of this policy are subject to a range of sanctions determined and enforced by institution management, including the loss of computer access privileges, disciplinary action, dismissal from the institution, and legal action. Some violations may constitute criminal offenses, per Tennessee and other local and federal laws. The College will carry out its responsibility to report such violations to the appropriate authorities.
References:
NIST SP 800-171 Rev 5, Security and Privacy Controls for Information Systems and Organizations September 2020
State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:05, 8/2/2021
Tennessee Board of Regents (TBR) Policy 1:08:03:00 Access Control, 5/14/2019
Tennessee Board of Regents (TBR) Policy 1:12:01:00 Record Retention and Disposal of Records, 5/14/2019
Chattanooga State Community College Technology Division Policy 08:16:00 Data Security, 10/24/2017
Submitted to Policy Review Committee on February 21, 2022
Submitted to Policy Review Board on March 28, 2022
Approved by the Policy Review Board on April 13, 2022
Previous Version(s):
Submitted to Policy Review Committee on February 28, 2021
Submitted to Policy Review Board on March 22, 2021
Approved by Policy Review Board on April 21, 2021
Submitted to Policy Review Committee on September 16, 2019
Submitted to Policy Review Board on October 21, 2019
Approved by Policy Review Board on October 30, 2019
Submitted to Policy Review Committee on October 24, 2018
Submitted to Policy Review Board on November 30, 2018
Approved by Policy Review Board on December 6, 2018
Approved: President’s Cabinet, 02/12/2012 rev 4
Reviewed and Revised by Computer Services, 12/1/2011 rev 3
Reviewed and Revised by: Computer Services, 06/01/10 No updates required
Approved: Executive Staff, 05/20/09 and President’s Cabinet, 05/20/09 rev 1
Reviewed and Revised by: Computer Services, 03/27/09 No updates required
Reviewed and Revised by: Computer Services, 09/30/08
|