Policy Compliance:   IA

 

PURPOSE

The purpose of this policy is to ensure an information technology infrastructure that promotes the mission of the college.  SPC’s information services network has been established for the use and benefit of SPC in the conduct of its academic, business, and other operations.  This document provides direction and support for the SPC Information Security Program and the Information Technology (SPC-IS) Policies. 

This framework of IT security policies collectively represents the basis of the institutional Information Security program and on the aggregate whole meet the objectives as articulated by Texas Administrative Code Chapter 202 (TAC§202), Texas Higher Education Coordinating Board (THECB) and the associated guidelines. 

This policy promotes the following goals:

  • To ensure the integrity, reliability, availability, and performance of SPC information technology resources;
  • To ensure that use of SPC information technology resources is consistent with the principles and values that governs SPC as a whole;
  • To ensure that information technology resources are used for their intended purposes; and
  • To ensure all individuals granted access privileges to SPC information technology resources have a clear understanding of what is expected during use and the consequences of violating SPC policies.

 

SCOPE 

This program applies equally to all individuals granted access privileges to any South Plains College (SPC) information technology resources.

 

POLICY STATEMENT 

Information technology resources play an integral part in the fulfillment of the primary mission of the college.  Users of SPC’s information technology resources have a responsibility to protect and respect those resources, and are responsible for knowing the regulations and policies that apply to appropriate use of the college’s information technology resources. 

Users must understand the expectation that if needed SPC information technology resources may be limited and/or regulated by SPC to fulfill the primary mission of the college. Usage may be constrained as required to assure adequate capacity, optimal performance, and appropriate security of those resources. 

Anyone using SPC’s information resources expressly consents to monitoring of the network by the college at any time and for any purpose, including but not necessarily limited to, evidence of possible criminal activity, violations of law, contract, copyright or patent infringement, and/or violation of any college policy, rule, or regulation.

 

SPC information security policies can be found on the SPC website at:  https://www.southplainscollege.edu/human_resources/policy_procedure/ig.php

The Information Security User Guide which contains a summary of user related policies can be found at: http://[Need LINK TO SECURITY GUIDE] 

The Information Security Program, which contains the framework ensures that the appropriate safeguards are applied to SPC information systems. The program document can be found at:  http://[Need LINK TO INFO SECURITY PROGRAM] 

 

A review of the institution's information security program for compliance with these standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the institution of higher education head or his or her designated representative(s).TAC 202.76(c)

 

NON-CONSENSUAL ACCESS 

SPC cannot absolutely guarantee the privacy or confidentiality of electronic documents. Consequently, persons that use these SPC-owned resources, or any personally owned device that may be connected to an SPC resource, have no right to privacy in their use of these resources and devices. However, SPC will take reasonable precautions to protect the privacy and confidentiality of electronic documents and to assure persons that SPC will not seek access to their electronic messages or documents without their prior consent except where necessary to:

  • Satisfy the requirements of the Texas Public Information Act, or other statutes, laws or regulations;
  • Allow institutional officials to fulfill their responsibilities when acting in their assigned capacity;
  • Protect the integrity of SPC’s information technology resources, and the rights and other property of SPC;
  • Allow system administrators to perform routine maintenance and operations, security reviews, and respond to emergency situations; or
  • Protect the rights of individuals working in collaborative situations where information and files are shared. 

To appropriately preserve the privacy of electronic documents and allow authorized individuals to perform their assigned duties, specific college staff and law enforcement will sign an SPC Non-Consensual Access to Electronic Information Resources Request Form annually and submit the form to the Office of the Information Resources Manager (IRM).  At the beginning of each fiscal year, non-consensual access requests will be resubmitted, reviewed, and approved or denied by the IRM. 

Individuals may request non-consensual access to specific data by initiating the Non-   Consensual Access to Electronic Information Resources Request Form, obtaining the approval of their organizational head, and submitting the form to the Office of the Information Resources Manager (IRM).  If the request appears compliant with college policy, the IRM or designee will coordinate with the Information Security Officer (ISO) as necessary to satisfy the request.

 

VIOLATIONS

 

Failure to adhere to the provisions of the information technology security policies may result in: 

  • suspension or loss of access to institutional information technology resources
  • appropriate disciplinary action under existing procedures applicable to students, faculty and staff, and
  • civil or criminal prosecution 

Potential violations will be investigated in a manner consistent with applicable laws and regulations, and SPC policies, standards, guidelines and practices.

 

EXCEPTIONS TO POLICY 

Exceptions are granted on a case-by-case basis and must be reviewed and approved by the College designated IRM or appointed representative. The required Policy Exception Form and procedures can be found at  http://[LINK TO POLICY EXEMPTION FORM]  The IRM will mandate the documentation and additional administrative approvals required for consideration of each policy exception request. 

REFERENCE 

There are many individual laws, regulations, and policies that establish our information security requirements.   While it is not possible to list all potentially applicable laws and regulations, the most relevant are listed in the Texas State College Systems Rules and Regulations, Policy Guideline TSUS IT.02.01, Information Security Policy. The primary applicable references are listed below.

DIR Security Controls Catalog Control Group: PM-1

 

  • Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C (TAC§202)
  • National Institute of Standards and Technology, Special Publication 800-171
    (NIST 800-171)
  • The Federal Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • Federal Information Security Management Act of 2002 (FISMA)
  • Texas Administrative Code, Title 1, Subchapter 203
  • Texas Government Code, Title 5, Subtitle A, Chapter 552
  • Texas Penal Code, Chapter 33, Computer Crimes
  • Texas Penal Code, § 37.10, Tampering with Governmental Record
  • United States Code, Title 18, § 1030, Computer Fraud and Related Activity of 1986
  • Copyright Act of 1976
  • Digital Millennium Copyright Act October 20, 1998
  • Electronic Communications Privacy Act of 1986
  • The Information Resources Management Act (IRM) TGC, Title 10, Subtitle B, 2054.075(b)
  • Computer Software Rental Amendments Act of 1990
  • ISO/IEC 27002:2005 standards jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
  • Texas Department of Information Resources (DIR) Practices for Protecting Information Resources Assets

 

Approved by:     Executive Council, December 9, 2019

Next Review:   October 1, 2020