South Plains College

Information Services (SPC-IS)

 

Data Classification Standard: I-B(b)

 

Purpose and Benefits

This standard outlines a classification process and provides procedures for classifying data in a manner that uniformly protects information entrusted to SPC.

Classifying data according to this standard may serve as a basis for evaluating the current retention and disposition schedules for its records and, where appropriate, consider revising those schedules to manage the documents that SPC must protect.

Scope

This standard applies to all information owned and maintained by SPC.

Information Statement

All information and systems must be classified per the Information Security Policy (I-A) Data Classification and Handling Section.

Information classification is based on three principles of security: 1) confidentiality, 2) integrity, and 3) availability. Information can be classified as low, moderate, or high for each principle. When classifying the impact, the entity should consider how the information/ information systems are used to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Impact levels are defined as limited, serious, severe, or catastrophic. For classification, limited impact shall be deemed to include no effect.

Potential Impact

Definitions

Low

The potential impact is low if—The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization can perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

Moderate

The potential impact is moderate if the loss of confidentiality, integrity, or availability could seriously affect organizational operations, assets, or individuals. 

A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause significant degradation in mission capability to an extent and duration that the organization can perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that do not involve loss of life or severe life-threatening injuries.

High

The potential impact is high if—The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals. 

A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

 

Each entity should review the impact levels in its operational environment.  Figure 2 shows the Information Asset Classification Categories.

 

INFORMATION CLASSIFICATION CATEGORIES per FIPS 199

LOW

MODERATE

HIGH

CONFIDENTIALITY

Consider the impact of unauthorized disclosure on factors such as:

•    Health and Safety

•    Financial Loss

•    SE Mission/Programs

•    Public Trust

The unauthorized disclosure of information could be

expected to have limited or no impact on organizational operations, assets, or individuals.

The unauthorized disclosure of information could be expected to seriously impact

organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to severely catastrophically impact organizational

operations,

assets, or individuals.

INTEGRITY

Consider the impact of unauthorized modification or destruction on factors such as:

•    Health and Safety

•    Financial Loss

•    SE Mission/Programs

•    Public Trust

The unauthorized

modification or destruction of information could be

expected to have limited or no impact on organizational operations,

organizational assets or

individuals.  

The unauthorized

modification or destruction

of information could be expected to have a serious

impact on

organizational operations, organizational assets, or individuals. 

The unauthorized modification

or destruction of

information could be

expected to have a severe or catastrophic impact on organizational

operations, organizational

assets, or individuals. 

AVAILABILITY

Consider the impact of untimely or unreliable access to information

on factors such as:

•    Health and Safety

•    Financial Loss

•    SE Mission/Programs

▪ Public Trust

Disrupting access to or use of information or an Information System could be expected to have limited or no impact on organizational operations, assets, or individuals. 

Disrupting access to or use of information or an Information System could seriously impact organizational operations, assets, or individuals. 

Disrupting access to or use of information or an Information System could be expected to have a severe or catastrophic impact on organizational operations, assets, or individuals. 

Figure 2: Information Asset Classification Matrix - National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199 – Standards for Security Categorization of Federal Information and Information Systems

Information Classification Process

The information classification process must include the following:

  1. Identification of information assets.
  2. Classification of information assets; by confidentiality, integrity, and availability (“CIA”); and
  3. Determining controls based upon the classification.

 

1.  Identification of Information Assets

Identification of information assets involves creating an inventory of all information assets in the entity.  The following items need to be considered when constructing this inventory:

  1. Grouping of information assets
  2. Determining the information owner
  3. Determining the information custodian
  4. Identifying information assets

 

A.  Grouping of Information Assets

To facilitate the classification of information assets and allow for a more efficient application of controls, it may be desirable to appropriately group information assets together.  A broad grouping may result in applying controls unnecessarily as the asset must be classified at the highest level necessitated by its individual data elements.  For example, if a Human Resources unit decides to classify all of their personnel files as a single information asset and any one of those files contains a name and social security number, the entire grouping would need to be protected with moderate confidentiality controls.

A narrow grouping allows for more precise targeting of controls.  However, as there are more information assets to classify, this increases the complexity of the classification and the management of controls.  Using the previous example, classifying the multitude of personnel files (e.g., appointment letters, timecards, position classifications, holiday waivers) as individual information assets requires a different set of controls for each classification. 

In the case of an information technology system, such as a database, data warehouse, or application server, while it may be easier to apply a single set of controls as a result of classifying the system as a single entity, costs may be reduced by applying the controls to the individual elements, such as specific fields, records, or applications.  Therefore, it is important that the entity evaluates the risk and cost benefit of grouping a given set of assets.

B.  Determining the Information Owner

Responsibility for the classification and definition of controls for an information asset belongs to an individual in a managerial position who is ultimately responsible for the confidentiality, integrity, and availability of that information.  If multiple individuals are found to be “owners” of the same information asset, a single individual owner must be designated by a higher level of management.  The information owner is responsible for determining the information’s classification, how and by whom the information will be used.  Owners must understand the uses and risks associated with the information for which they are responsible and any laws, regulations, or policies which govern access and use.  Each owner must exercise due diligence with respect to the proper classification of data in order to prevent improper disclosure and access. 

C.  Determining the Information Custodian

Information custodians are people, units, or organizations responsible for implementing the authorized controls for information assets based on the classification level.  An information asset may have multiple custodians.  Based on the information owner’s requirements, the custodian secures the information, applying safeguards appropriate to the information’s classification level.  Information custodians can be from within the entity or from third parties (e.g., another entity). If the custodian is a third party, a formal, written agreement between the custodian’s organization and the entity that owns the information must specify the responsibilities of each party.  An information custodian may also be the information owner.

D.  Identifying Information Assets

For each information asset in their control, the information owner must identify at a minimum:

  • Source of the information asset (e.g., unit, agency)
  • Use of the information asset (i.e., purpose/business function)
  • Business processes dependent on the information asset
  • Users/groups of users of the information asset

2.  Classification of Information Assets

Owners must answer the questions in the Information Asset Classification Worksheet (Appendix A) to determine the classification of their information assets.  It is appropriate to recruit and work with subject matter experts who have specific knowledge about the information asset, such as Counsel’s Office and the Records Management Officer. The Information Security Officer (ISO)/designated security representative may also be called upon to advise and assist the information owner in determining the classification.  An entity may add more questions to the Information Asset Classification Worksheet but not alter or remove the original questions.

Information assets are classified according to confidentiality, integrity, and availability. These three security principles are individually rated as low, moderate, or high. For example, an information asset may have a confidentiality level of “high,” an integrity level of “moderate,” and an availability level of “low” (i.e., HML). 

Questions are categorized by confidentiality, integrity, and availability. Each question must be answered sequentially, to the best of the information owners’ abilities.

Compliance

This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.

If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.

Related Documents

 

1 TAC § 202.74(b)(1)

1 TAC 202 SUBCHAPTER A

DIR Data Classification Guide

 

Federal Information Processing Standards Publication 199: Standards for Security Categorization of Federal Information and Information Systems

 

Information Security Risk Management Standard

Texas Security Controls Standards Catalog Control Group: CM-6, RA-5, SA-5, SA-10

NIST Function Groups: ID.AM-5

 

 

Appendix A                                                         

                           Section One: Information Asset Identification Worksheet                          

Instructions:
Record the requested information for the information asset you are classifying. Job titles, in place of named individuals, can be used where appropriate for ease of maintenance.

Completed By:

 

Completed Date:

 

Name of Information Asset:

 

 

Information Asset Description/Comment:

 

Information Asset Use:

 

 

Information Asset Format:
(i.e., paper, electronic)

 

 

Information Asset Storage:
(e.g., file cabinet, safe, database, network share, CD/DVD, portable drive)

 

Source of Information:

 

Business Process(es) Supported:

 

Information Owner:

 

Information Custodian:

 

Internal Information User(s):

 

 

External Information User(s):
(e.g., other agencies, other government agencies, public)

 

 

 

SECTION TWO: INFORMATION ASSET CLASSIFICATION WORKSHEET

Instructions for rating each section
If ALL answers are GREEN, the rating is Low; if ANY of the answers are YELLOW and NONE are RED, the rating is MODERATE; if ANY of the answers are RED, the rating is HIGH.

CONFIDENTIALITY QUESTIONS

 

1. Is the information publicly available?

No

Yes

 

 

2. Does the information include or contain PPSI  

    (Personal, Private, or Sensitive Information)?

No

Yes

 

 

 

 

None

Limited

Serious

Severe

3. What impact does unauthorized disclosure of information have on health and personal safety?

 

 

 

 

4. What is the financial or agency liability impact of unauthorized disclosure of information?

 

 

 

 

5. What impact does unauthorized release of sensitive information have on the entity mission?

 

 

 

 

6. What impact does unauthorized disclosure of information have on the public trust, agency reputation, and public interests?

 

 

 

 

7. Is confidentiality mandated by law or regulation? If yes, what is the impact of unauthorized disclosure of information. If no, do not make a selection.

 

 

 

 

8. Is the information intended for limited distribution? If yes, what is the impact of unauthorized disclosure. If no, do not make a selection

 

 

 

 

CONFIDENTIALITY RATING

 

 

If ALL answers are GREEN, the rating is Low; if ANY of the answers are YELLOW and NONE are RED, the rating is MODERATE; if ANY of the answers are RED, the rating is HIGH.

 

 

 

 

INTEGRITY QUESTIONS

 

 

No

Yes

1. Does the information include medical records

 

 

 

No

Yes

2. Is the information (e.g., security logs) relied upon to make critical security decisions?

 

 

 

 

None

Limited

Serious

Severe

3. What impact does unauthorized modification or destruction of information have on health and safety?

 

 

 

 

4. What is the financial impact of unauthorized modification or destruction of information?

 

 

 

 

5. What impact does unauthorized modification or destruction of information have on the SE mission?

 

 

 

 

6. What impact does unauthorized modification or destruction have on the public trust?

 

 

 

 

7. Is integrity addressed by law or regulation? If yes, what is the impact of unauthorized modification or destruction of information. If no, do not make a selection.

 

 

 

 

8. Is the information (e.g., financial transactions, performance appraisals) relied upon to make business decisions? If yes, what is the impact of unauthorized modification or destruction of information. If no, do not make a selection.

 

 

 

 

INTEGRITY RATING

 

 

If ALL answers are GREEN, the rating is Low; if ANY of the answers are YELLOW and NONE are RED, the rating is MODERATE; if ANY of the answers are RED, the rating is HIGH.

 

 

 

 

 

AVAILABILITY QUESTIONS

Assessment Question

 

As time permits

Within 1 to 7 days

24 hrs. per day/7 days a week

1. This information needs to be available:

 

 

 

Impact Questions

 

None

Limited

Serious

Severe

2. What is the impact to health and safety if the information were not available when needed?

 

 

 

 

3. What is the financial impact if the information were not available when needed?

 

 

 

 

4. What is the impact to the SE mission if the information were not available when needed?

 

 

 

 

5. What is the impact to public trust if the information were not available when needed?

 

 

 

 

AVAILABILITY RATING

 
             

 

If ALL answers are GREEN, the rating is Low; if ANY of the answers are YELLOW and NONE are RED, the rating is MODERATE; if ANY of the answers are RED, the rating is HIGH.

 

________________________________            _____________________________
Information Owner - print                                                 Date

________________________________
Information Owner - signature   

________________________________            _____________________________
ISO/Designated security representative - print                      Date

_________________________________________
ISO/Designated security representative - signature

 

 

APPENDIX B: INFORMATION CLASSIFICATION SUPPLEMENTAL GUIDANCE

Introduction

 The classification of information will be the basis for many information security decisions in an organization.  Before deciding the level of resources (i.e., money, time, and technology) required for protection, it is essential that you know what information needs to be protected and the level of protection that is required.  The purpose of this supplement is to provide additional guidance on the information classification process.

 

Identifying Information Assets

An efficient approach towards identifying information assets is for information owners to maintain an inventory for each information asset in their control. The inventory should minimally include the following:

 

  1. Source of the information asset (e.g., unit, agency)
  2. Use of the information asset (i.e., purpose/business function)
  3. Business processes dependent on the information asset
  4. Users/groups of users of the information asset
  5. Owner of the information asset

Information assets can be identified using the template provided in Section One of Appendix A or this information can be extracted from an existing information inventory, if available.  Job titles, in place of named individuals, can be used for the custodian, owner, and users in order to ease maintenance of your information asset inventory.  Samples of completed templates are provided below in Figures 1 and 2.

 

Figure 1: Information Asset Identification Template by Single Asset

 

 

 

 

 

Figure 2:  Information Asset Identification Template by Grouped Asset

Information Needed for Determining the Classification

Before determining the classification, it may be beneficial for the information owner to familiarize themselves with the following areas:  

 

Source, Purpose, and Value:

  • How the information asset is used in supporting business functions.
  • How often the information asset is used.
  • How often the information asset is updated.
  • Dependencies between this information asset and others.
  • The cost of creating and duplicating the information.

Legal Requirements:

  • Laws, regulations, policies, or contracts that mandate special security requirements for the information (g., Health Insurance Portability and Accountability Act (HIPAA)).
  • Retention requirements for the information asset.

Access Requirements:

  • Who has/should have access to the information (i.e., people, positions, organizational units).
  • Whether the information is shared among other units/entities, third-parties, Federal/local governments.

Health and Safety Concerns:

  • Impact on employees as well as the public.

Mission:

  • The overall mission of the entity.
  • The information owner’s role (or unit’s role) in completing the mission.

Non-tangible Effects:

  • Impact if information asset is not available (temporarily or permanently).
  • The effect of a breach of confidentiality, integrity, or availability on the intangible assets of the entity such as reputation, trust and morale.

 

Classification of Information Assets

Classification of information assets is facilitated by the use of a series of questions.  The answers will help determine the information asset classification. 

 

The Information Asset Classification Worksheet, found in Appendix A, contains the confidentiality, integrity, and availability questions that must be answered when classifying information.  Following are example answers to assist in determining the appropriate response.

Confidentiality Questions

[1]  Is the information publicly available?

Example(s):  Information that must be lawfully made available to the general public from Federal, State, or local government records or information that does not need to be withheld for security, legal or privacy concerns is generally deemed publicly available. Examples include public transportation schedules, a listing of local city events, or health improvement guidelines.  These items would be ranked low in confidentiality.

 

[2]  Does the information include or contain personally identifying information (PII)?

Example(s): A W-2 form contains a name, as well as a social security number.  This would be considered private information and therefore have a minimum confidentiality of moderate, which may be adjusted based on responses to subsequent impact questions. 

 

[3] What impact does unauthorized disclosure of information have on health and personal safety?

Example(s):  There may be information which, if publicly released, may impact the health and personal safety of the entity’s workforce and citizens such as, the blueprint and drawings of critical infrastructure buildings, critical infrastructure related systems, network configurations, or disaster recovery/business continuity plans. These could be exploited by criminals to sabotage or destroy buildings, emergency services, or critical infrastructure operations resulting in a severe impact to health and personal safety of citizens thereby placing these items in the high confidentiality category.

 

[4] What is the financial or agency liability impact of unauthorized disclosure of information?

Example(s):  The entity may be exposed to litigation or regulatory fines due to disclosure of information protected by law or confidentiality agreements. For instance, unauthorized release of vendor bid information containing bidder’s proprietary information could jeopardize the bidding process as well as potentially expose the organization to litigation.

Similarly, if the investment decisions of the entity’s retirement system become known prior to their execution, it could alter the market sentiment ahead of the investment causing financial losses.

 

[5] What impact does unauthorized release of sensitive information have on the entity mission?

Example(s):  An entity may be charged with ensuring that illegal goods do not enter.  As part of that mission, the entity may be responsible for collecting and maintaining information regarding unmanned border crossings.  If there was an unauthorized release of that information, resulting in an increase of illegal traffic, it could have a severe impact on the entity’s ability to fulfill its mission.

An example of limited impact would be the release of employee contact information which may result in additional phone calls/emails/office visits.

If a list of local delivery restaurants and their phone numbers is disclosed, there would be no impact.

 

[6] What impact does unauthorized disclosure of information have on the entity’s intangible assets such as the public trust, agency reputation, and public interests?

Example(s): It is important for the government to maintain the public’s trust.   For example, the unauthorized exposure of medical records could lead to a loss of the public trust in the entity’s ability to protect sensitive information.

An entity which collects and maintains the confidential records of citizens requires a high level of public trust. Unauthorized disclosure of data through the actions of a malicious insider, external hacker, or through a random accident could erode the public’s trust in the SE and their ability to protect citizen data.

 

[7] Is confidentiality mandated by law or regulation?  If yes, determine the impact of   unauthorized  disclosure of information.

Example(s):  Some types of information, including personal health records, student grades, and financial and personnel records may be protected by Federal, State, and local laws or regulations. Disclosing this information can lead to civil or criminal liability. There are several key statutes, such as HIPAA, that should be examined based on the information asset being classified.

 

[8]   Is the information intended for limited distribution?  If yes, determine the impact of the unauthorized  disclosure of that information.

Example(s):  Some information generated within an entity is for internal use only and is not meant to be disclosed externally. The confidentiality of such information varies considerably based on the information asset. Information, such as system security configurations, which, if released, could jeopardize the security of an entity’s assets, would require high confidentiality controls.

Administrative information, such as procedures for travel approval, though not publicized outside the entity, would be information that the public could legitimately obtain and should be ranked as low in confidentiality.

 

Integrity Questions

 

[1]  Does the information include medical records?

Example(s):  In the case of a health care institution, it is important that medical records and medical history are accurate. For example, it may be important to know whether someone is allergic to specific medications so that they are not administered. In addition, it would be necessary to know whether a person has a particular illness or medical condition which would require special treatment. Malicious or accidental alteration of a patient’s health records  can cause serious health consequences for that individual.  Medical records require a minimum integrity classification of moderate.  This rating may be adjusted based on responses to subsequent questions.

 

[2]  Is the information relied upon to make critical security decisions?

Example(s):  It is important that security records (e.g., computer security logs, building security access logs) are accurate in order to verify legitimate access and identify unauthorized access attempts.  Security related records require a minimum integrity classification of moderate.  This rating may be adjusted based on responses to subsequent questions.

 

[3]  What impact does unauthorized modification or destruction of information have on health and safety?

Example(s):  There is a potential for severe impact on the safety of citizens if someone accesses an airline system and modifies the onboard navigation system. 

The removal or editing of surveillance tapes may have a serious or severe impact depending on the presence of additional information provided by other forms of surveillance.

Something that could be of low to no impact on health and safety would be the unauthorized modification of an employee’s calendars.

 

[4] What is the financial impact of unauthorized modification or destruction of information?

Example(s):  There are many financial implications for the destruction or modification of information. It does not strictly mean monetary loss, but can also include loss of employee time and effort for recovery. Something that would have severe financial impact might be the loss of all financial records from an entity’s financial management database. 

If a database of vendor contact information was deleted, it would involve effort in re-creating the database. This would probably be of limited impact.

 

[5] What impact does unauthorized modification or destruction of information have on the entity mission?

Example(s):  Entity operations could be drastically affected if information is changed without authorization.  For example, if someone removed all the phone numbers in a Do Not Call registry, it would severely impact the mission of the program to prevent unwanted calls to registered numbers.

The mission of a university is to provide education and certify the qualifications of students through academic degrees. Malicious or accidental changes to student’s academic records would have a severe impact on the university’s mission of issuing academic credentials.

 

[6] What impact does unauthorized modification or destruction of information have on the public trust?

Example(s):  The public relies on government to provide accurate information.  Failure to do so would erode public trust.  For example, if information on certification for licensed professionals was inaccurately modified without authorization and then posted to a public web site, the public would no longer trust the entity posting the information as a reputable source for this information. 

 

[7] Is integrity addressed by law or regulation?  If yes, determine the impact of unauthorized modification or destruction of information.      

Example(s):  Some types of information, including personal health records, student grades, and financial and personnel records, may be protected by Federal, State, and local laws. Allowing unauthorized changes to information may have legal consequences. There are several key statutes that should be examined based on the information asset being classified.  For example, HIPAA requires safeguards to protect against threats to the integrity of electronic protected health information .

 

[8] Is the information (e.g., financial transactions, performance appraisals) relied upon to make business decisions?  If yes, determine the impact of unauthorized modification or destruction of that information.

Example(s):  It is important for financial information to remain reliable. Unauthorized changes to financial transactions (e.g., direct deposit, electronic funds transfer) could severely impact the financial stability of an entity.   

Employee appraisal records are used to make important personnel decisions. Someone may attempt to falsify records in hopes of getting a promotion, alternate employment, or to diminish someone else’s reputation and/or record.  The impact to the entity could vary dependent upon the situation.

 

Availability Questions

[1] This information needs to be provided or available:

As time permits

Within 1 to 7 days

24 hrs. per day/7 days a week

Example(s):  Intrusion detection systems send event notifications so that an incident can be analyzed and escalated based on the level of threat. Since security is critical, and severe damage can be caused to entity data and networks, this operation is time critical and requires high availability (24 hrs. per day/7 days a week).

 

[2] What is the impact to health and safety if information were not available when needed?

Example(s):  Medical records contain information (e.g., allergies, blood type, previous medications) which is critical for providing patients with accurate medical care.  Lack of availability to this data during emergency medical care can lead to life threatening situations therefore placing these items in the high availability (24 hrs. per day/7 days a week) category.

 

[3] What is the financial impact if information were not available when needed?

Example(s):  For any entity where online services generate revenue, a disruption of service can have a financial impact which could be deemed severe.     

A personal computer system crash which can be solved by a simple reboot would have limited impact.

 

[4] What is the impact to the entity mission if information were not available when needed?

Example(s):  Public transportation’s mission is to get customers quickly and efficiently to various locations.  If access to train, bus, and subway schedules was unavailable, this could lead to an inability of public transportation to fulfill its mission.  The impact to its mission would be severe.

 

[5] What is the impact to the public trust if the information were not available when needed?

Example(s):  Entities have spent considerable effort modernizing operations to include online services and encouraging the public to use these services.  If these services were seriously degraded or disrupted, this could cause serious embarrassment to the entity resulting in a severe impact and an erosion of the public’s trust in the entity and the online services. The availability in this case would be high.

 

 

 

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Credit & Early College Programs
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device acquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HHH. Safety Program Emergency Plans and Alerts
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. Data Security Risk Management
IB-B.Data-Classification-Standard
IB-C. Encryption-Standard
IC. Acceptable Use Policy
ID. Access Control Policy
ID-A. Account Management Access Control
ID-B. MFA Policy
ID-C. Auditing and Accountability 
ID-D. Security Logging Standard
ID-E. Remote Access Standard
ID-F. Wireless Network Security
IE. Secure-System-Development
IE-A. Configuration Management
IE-B. Patch Management Policy
IE-C. Secure Configuration Standard
IE-D. Vulnerability Scanning
IE-E. Sanitization Secure Disposal
IE-F. Secure Coding Standard
IF. incident Response Policy
IF-A. Cyber Incident Response
IG. Security Awareness and Training
IH. Physical and Environmental Protection