South Plains College

Information Services (SPC-IS)

 

Account Management and Access Control Standard: I-D(a)

Purpose and Benefits

This Standard establishes the rules, processes, and controls for creating, maintaining, and managing account credentials to access SPC’s applications and resources, protecting SPC systems and data.

Scope

This Standard covers access to all systems developed by or on behalf of SPC that require authenticated access. This includes all development, testing, quality assurance, production, and other ad hoc systems.

Information Statement

Account management and access control include requesting, creating, issuing, modifying, and disabling user account credentials; enabling and disabling access to resources and applications; establishing conditions for group and role membership; tracking accounts and their respective access authorizations; and managing these functions.

 

Account Management/Access Control Roles

Account management and access control require the Information Owner and Account Administrator roles to be defined and assigned for each resource and application per the Data Classification and Security Planning Policy: I-B. The SPC ISO office documents and maintains a listing of authorized users in these roles. The associated tasks and responsibilities for each role are described below. 

 

Information Owner Responsibilities 

Information owners are people at the managerial level who are responsible for the following:

  • Delegate account administrators (e.g., Director of Enterprise Applications, System Administrator, Network Administrator) to ensure the appropriate level of information access is provided. 
  • Defining roles and groups and the corresponding level of access to resources for that role or group.
  • Determining who should have access.
  • Determining the identity assurance level for the application or data (e.g., MFA).
  • Annually review that accounts and access controls are commensurate with overall business function and that the associated rights have been adequately assigned adhering to the principle of least privilege.
  • Requiring business units with access to protected resources to notify the SPC Information Security Officer (ISO) or designated security representative when individual access requirements change, or accounts are no longer required and notify Human Resources when users leave SPC.

 

 

Account Administrator Responsibilities

Account administrators maintain accounts.  They are the delegated custodians of protected data.  Account Administrators are responsible for the following:

  • Maintain appropriate levels of communication with the information owners to determine the level or degree of access granted to an individual.
  • Determine the technical specifications needed to set access privileges.
  • Delegate account management functions such as password resets to the help desk.
  • Create and maintain procedures and scripts used in managing accounts.
  • Maintain any necessary information supporting account administration activities, including information owner requests and approvals.
  • Enroll new users.
  • Enable/disable user accounts.
  • Create and maintain user roles and groups.
  • Assign rights and privileges to a user or group.
  • Collect data to review user accounts and their associated rights periodically.
  • Assign new authentication credentials (e.g., password resets).

 

 

Account Types

Account types include Individual, Privileged, Service, Shared, Default Non-Privileged (e.g., Guest, Anonymous), Emergency, and Temporary:

  • Individual Accounts: An individual account is a unique account issued to a single user. The account enables the user to authenticate to systems with digital credentials. After a user is authenticated, the user is authorized or denied access to the system based on the permissions assigned directly or indirectly to that user.
  • Privileged Accounts: A privileged account is an account that provides increased access and requires additional authorization. Examples include a network, system, or security administrator account. A privileged account may only be provided to members of the workforce who require it to accomplish their job duties. The use of privileged accounts must be compliant with the principle of least privilege. Access will be restricted to only those programs or processes specifically needed to perform authorized business tasks and no more. There are two privileged account types - Administrative Accounts and Default Accounts.
  • Administrative Accounts: An account given to a user that allows the right to modify the operating system and platform settings or enable modifications to other accounts.  These accounts must:
    • be at an Identity Assurance Level commensurate with the protected resources they access.
    • be internally identifiable as an administrative account per a standardized naming convention.
    • be revoked under organizational requirements.
  • Default Privileged Accounts: Default privileged accounts (e.g., root, Administrator) are provided with a particular system and cannot be removed without affecting the system's functionality. Default privileged accounts must:
    • be disabled if not in use or renamed if technically possible.
    • It can only be used for initial installation or as a service account. When technically feasible, alerts must be issued to the appropriate personnel when an attempt is made to log in with the account for access.
    • Do not use the initial default password provided by the system.
    • have a password known or accessible by at least two individuals within the SE if anyone knows the password. As such, restrictions for shared accounts, outlined below, must be followed.
  • Service Accounts: A service account is not intended to be given to a user but is provided for a process. It is to be used in situations such as to allow a system to run jobs and services independent of user interaction.  Service accounts must:
    • An assigned owner is responsible for documenting and managing the account.
    • be restricted to specific devices and hours when possible.
    • never be used interactively by a user for any purpose other than the initial system installation or if required for system troubleshooting or maintenance. Wherever technically feasible, administrators should leverage “switch user” (SU) or “run as” to execute processes as service accounts.
    • never be for any purpose beyond their initial scope.
    • be internally identifiable as a service account per a standardized naming convention.
    • not allow its password to be reset according to any standardized or forced schedule. However, should an employee with knowledge of said password leave the entity, that password must be changed immediately.
    • have a password known or accessible by at least two individuals within the entity if anyone knows the password. As such, restrictions for shared accounts, outlined below, must be followed.
  • Shared Accounts: A shared account is any account where more than one person knows the password and uses the same authentication credential. Sharing accounts is only allowed when a system or business limitation prevents using individual accounts.  These cases must be documented by the information owner and reviewed by the Information Security Officer (ISO) or designated security representative. Additional compensatory controls must be implemented to confirm accountability is maintained.  Shared accounts must:
    • have the authentication credentials reset when any of its users no longer need access.
    • be restricted to specific devices and hours when possible.
    • Where technically feasible, have its users log on to the system with their Individual Accounts and “switch user” (SU) or “run as” the shared account.
    • have strictly limited permissions and access only to the system(s) required.
  • Default Non-Privileged Accounts: The default non-privileged account (guest or anonymous user) is an account for people who do not have individual accounts. An example of where this might be necessary is on a public Wi-Fi network.  This account type must:
    • be disabled until necessary.
    • have limited rights and permissions.
    • only be allowed after a risk assessment
    • have compensatory controls that include restricted network access.
    • be assigned a password that the user cannot change, but that is changed monthly, at a minimum, by an administrator.
    • not allow the account to be assigned for delegation by another account.
    • have a log maintained of users to whom the password is given.
  • Emergency Accounts: Emergency Accounts are intended for short-term use and include restrictions on creation, point of origin, and usage (i.e., time of day, day of week). SEs may establish emergency accounts in response to crises and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts must be automatically disabled after 24 hours.
  •  Temporary Accounts: Temporary accounts are intended for short-term use and include restrictions on creation, point of origin, usage (i.e., time of day, day of week), and must have start and stop dates. SPC may establish temporary accounts as a part of standard account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation, such as for vendors, manufacturers, etc. These accounts must have strictly limited permissions and access only to the systems required.

 

Account Management and Access Control Functions

Automated mechanisms must be employed to monitor account use and management. These mechanisms must allow for usage monitoring and notification of atypical account usage. Thresholds for alerting should be set based on the system's criticality or account assurance level. 

Staff in the appropriate account management/access control role(s) must be notified when account management activities occur, such as when accounts are no longer required, users are terminated or transferred, or system usage or need-to-know changes.  This should be automated where technically possible. 

Systems must have automated access control policies that enforce approved authorizations for information and system resources. These policies could be identity, role, or attribute-based. 

 

By default, no one has access unless authorized.

 

A system's Identity Assurance Level (IAL) determines the degree of certainty required when proofing a user's identity. The following table describes the level of confidence associated with each IAL. 

 

Identity Assurance Level

Description

1

Low or no confidence in the asserted identity’s validity

2

Confidence in the asserted identity’s validity

3

High confidence in the asserted identity’s validity

 

 

Table 1 reflects the standards for account management at each assurance level.

 

 

Table 1 – Account Management Standards per Identity Assurance Level

 

Identity Assurance Levels

Category

1

2.

2

Account disabled automatically after x days of inactivity

1096

 90

90

Send notification x days before the account is disabled

30

30

14

Account locked after x number of consecutive failed login attempts

10

5

3

Account creation requires an authoritative attribute that ties the user to their account. This could be an employee ID, driver’s license ID, tax ID, or unique individual email address.

No

Yes

Yes

Email notifications will be sent to the user for the following events:

·         Authentication credential change (password)

·         Account disabled due to invalid attempts.

·         Forgotten User Identification (UID) issued.

·         Account attribute change (e.g., name change)

·         Account re-activation

If known

Yes

Yes

Self-service functionality allowed

Yes

Yes

No

 

For all Assurance Levels, the following must be adhered to.

  • Creating New Accounts: To create an account, a valid access authorization based on an approved business justification must be obtained, and a request must be made to create the account.
  • Modifying Account Attributes (e.g., changing users’ names, demographics, etc.): Modifications must be made only by the authenticated user or an authorized account manager.
  • Enabling Access: Access is granted, based on the principle of least privilege, with valid access authorization.
  • Modifying Access: Access modifications must include valid authorization. When there is a position change (not including separation), access is immediately reviewed and removed when no longer needed. 
  • Disabling Accounts/Removing Access:
  • Event/Risk Based (Administrative Disable): When an account poses or has the potential to pose a significant risk, the account is disabled, or access attributes are removed upon discovery of the risk. Close coordination between the information owners, account managers/administrators, legal, incident response stakeholders, and human resource managers is essential for the timely execution of removing or restricting user access. Significant risks may include a disgruntled employee or one who has been identified as a potential risk. Users posing a substantial risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause damage. Harm includes potential adverse impacts to organizational operations and assets, individuals, and other organizations. An account identifier is required to identify these accounts and prevent inappropriate re-enabling of the account/access.  Re-enabling the account requires explicit SPC approval, so self-service mechanisms may not be used to re-enable the account.
  • De-provisioning Upon Separation: All user accounts (including privileged) must be disabled immediately upon separation. Credentials must be revoked in accordance with organizational requirements, and access attributes must be removed. Self-service mechanisms may not be used to re-enable the account.
  • Inactivity Disable: When an account is disabled due to inactivity, access attributes may remain unchanged if the information owner deems it appropriate.
  •  Reviewing Accounts and Access:
    • Information owners must review all accounts annually (minimally) to determine if they are still needed.
    • Access to privileged accounts must be reviewed every six months (minimally) to determine whether they are still needed.
    • Information owners must review account authorizations and user access assignments annually (minimally) to determine if all access is still needed.
    • Accounts or records of the account must be archived after five years of inactivity or after specific audit purposes are met.
  • Unlocking User Accounts: Before an administrator or user support agent can unlock a user's account, the user must be validated using Personally Identifiable Information.
    • Secure Log-on Procedures: Where technically feasible, access must be controlled by secure log-on procedures as follows:
    • Must not display password or PIN being entered.
    • Must comply with the Multi-Factor Authentication Policy I-D(d)

           Security Logs must display the following information on completion of a successful log-on:

    • Date and time of the previous successful log-on and
    • Details of any unsuccessful log-on attempts since the last successful log-on.
  • Session Inactivity Lock: Sessions must be locked after a maximum inactivity period of 15 minutes. Session inactivity locks are temporary actions taken when users stop work and move away from their immediate vicinity but do not want to log out because of their absences' temporary nature. Users must re-authenticate to unlock the session.
  • Connection Time-out: Sessions must be automatically terminated after 18 hours or after “pre-defined” conditions such as targeted responses to certain incidents.
  •  Logging/Auditing/Monitoring: All account activity must be logged and audited following the Security Logging Standard. The ability to modify or delete audit records must be limited to a subset of privileged accounts. Any modification to access attributes must be recorded and traceable to a single individual.

 

Wireless Access
SPC must establish usage restrictions, configuration/connection requirements, and implementation guidance for wireless access. Prior to allowing connections to the wireless network, authorization of wireless access must be approved. SPC must ensure that the access control system protects wireless access to information systems using authentication of users and devices and encryption, ensure that Guest wireless connection restricts access to the internet only, and that no internal systems are available when using Guest Wireless.

 

Access Control for Mobile Devices

SPC must establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices and authorize the connection of mobile devices to organizational information systems.

 

Use Of External Information Systems

SPC will establish terms and conditions consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

  • Access the information system from external information systems.
  • Process, store, or transmit organization-controlled information using external information systems.

SPC will permit authorized individuals to use an external information system to access the information system or to process, store, or transmit SPC-controlled information only when SPC:

  • Verifies the implementation of required security controls on the external system as specified in the SPC’s information security policy and security plan.
  • Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

 

Information Sharing

SPC will Facilitate information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the information's access restrictions. SPC will employ system administrative and data owner support to assist users in making information-sharing/collaboration decisions.

 

Publicly Accessible Content

SPC will designate authorized individuals to post information on a publicly accessible system. Authorized individuals must be trained to ensure that publicly accessible information does not contain nonpublic information. The data owner must review the proposed content before posting it onto the publicly accessible information system to ensure that nonpublic information is not included. The data owner must review the content on the publicly accessible information system for nonpublic information monthly and remove such information if discovered.

Compliance

This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards, which may be amended at any time.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.

Related Documents:

1 TAC § 202.74 (a)(2)

NIST Special Publication 800-63-3 Digital Identity Guidelines

An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

Texas Security Controls Standards Catalog Control Group: AC1-22, IA1, IA4, IA5, IA5(1), IA6, IA7, IA8, IA11
NIST Function Groups: ID.AM-1, ID-AM-2, PR.AC-1, PR.AC-4, PR.DS-3, PR.IP-1, PR.PT-1

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Credit & Early College Programs
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device acquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HHH. Safety Program Emergency Plans and Alerts
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. Data Security Risk Management
IB-B.Data-Classification-Standard
IB-C. Encryption-Standard
IC. Acceptable Use Policy
ID. Access Control Policy
ID-A. Account Management Access Control
ID-B. MFA Policy
ID-C. Auditing and Accountability 
ID-D. Security Logging Standard
ID-E. Remote Access Standard
ID-F. Wireless Network Security
IE. Secure-System-Development
IE-A. Configuration Management
IE-B. Patch Management Policy
IE-C. Secure Configuration Standard
IE-D. Vulnerability Scanning
IE-E. Sanitization Secure Disposal
IE-F. Secure Coding Standard
IF. incident Response Policy
IF-A. Cyber Incident Response
IG. Security Awareness and Training
IH. Physical and Environmental Protection