2021-2022 Administrative Policy Manual 
    
    May 28, 2024  
2021-2022 Administrative Policy Manual [ARCHIVED COPY]

Section 11 - Information Technology



11.0 Information Technology (IT)

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.

 

11.1 General Policy

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.1.

11.1.1 Board of Regents Procedures and Guidelines

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.1.1.

11.1.2 Delegation of Authority

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.1.2.

 

11.2 Project Authorization

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.2.

11.2.1 Delegation of Authority

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.2.1.

 

11.3 Information Security Policy

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.3.

11.3.1 General Policy

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.3.1.

11.3.2 System-Level Activities

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.3.2.

11.3.3 Institutional Responsibilities

Reviewed May 26, 2016

See Board of Regents Policy Manual Section 11.3.3.

Georgia Gwinnett College recognizes that information created, collected, or distributed using technology by the College is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. The degree of protection needed is based on the nature of the resource and its intended use. GGC employs prudent information security policies, standards, and practices to minimize the risk to the integrity, confidentiality, and availability of College information.

Given the vital nature of information security to the institution, the Vice President for Educational Technology will present the President with regular security briefings as well as notification of any breaches or suspected breaches in security. It is the responsibility of the Office of Educational Technology (OET) to maintain and monitor security management applications and logs.

The Office of Educational Technology (OET) is responsible for the development and implementation of security policy. OET is also responsible for the regular review and update of those policies. In fulfillment of the BoR Information Security policy (11.3), the OET will submit for review and approval the GGC policies to the Office of Information Technology Services (ITS) of the University System of Georgia. These submissions will be made on the schedule approved by ITS and the Board of Regents.

The Office of Educational Technology will provide the employees and students of GGC with information and education related to information security and digital privacy. OET will provide online materials and mandatory training for all GGC employees.

GGC employees and students are required to report suspected information security violations to the Information and System Security (ISS) group in the Office of Educational Technology. In the case of physical security breaches or theft, the Office of Public Safety will notify ISS of a possible information security problem.

Related documents:

  • APM 11.50 Information Technology Institutional Policies and Standards
  • APM 11.50.2 GGC Information Security
 

Information Technology Risk Management

Policy Number: 11.23
Effective Date:  August 2, 2019
Revision History: None
Policy Contact: Vice President, Educational Technology

Purpose and Policy Statement

This policy ensures that GGC manages risk associated with assets, information leakage, and network vulnerabilities.  It is a formal acknowledgement of the commitment of the College to risk management. This policy and associated plans augment GGC’s mission by proactively identifying threats and vulnerabilities.

Scope

This policy applies to all members of the campus community.

Definitions

Computing resources: Includes all data, information, as well as the, hardware, software, and processes involved with the storage, processing, and output of such information.  This includes data networks, servers, PCs, storage media, printer, photo copiers, fax machines, supporting equipment, fallback equipment, and back-up media.

Roles and Responsibilities

Campus Community: Includes, but is not limited to, all faculty, administrators, staff (including student workers), students, alumni, interns, members of the Board of Trustees, and members of College-sponsored advisory committees.

Director Information Security (DIS): Will conduct an IT risk assessment of the systems annually either internally or by an independent contractor to assess the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operation of GGC.  This will include a review of sensitivity levels of information resources through impact analysis, an assessment of the threats to which they are subject and the potential business impact. Risks will be assessed, mitigation recommended, and associated controls evaluation and measurements established.

Enterprise Risk Management Committee: Once the DIS has conducted the annual assessment, the ERMC will evaluate those risks to determine which must be mitigated and what level of residual risk may be acceptable.  Any mitigation measures requiring resources no under the purview of a Vice President will be briefed to the Cabinet for resource allocation or residual risk acceptance.

Risk Assessment and Management

Risk management must be addressed across GGC through a formal risk management program.  It is the responsibility of the Office of Educational Technology to implement and maintain the IT risk management program.  The objective of risk management is to ensure the proper level of control over the protection of information is applied to meet the appropriate level of business risk and to ensure continuity of business operations.  Information risk acceptance is the acknowledgement that some risk exists, even after cost-effective safeguards have been implemented, and formally deciding to accept the residual level of exposure.        

In support of the risk assessment process, vulnerability scanning and penetration testing are to be conducted, at a minimum on a quarterly basis and annually respectively on all GGC’s systems.  As part of the risk assessment, OET will conduct an impact analysis to determine the sensitivity of resources.

An IT risk assessment of the systems is conducted at a minimum annually, either internally or by an independent contractor to assess the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operation of GGC.

Compliance

Compliance with the provisions described in this policy is the responsibility of all members of OET and is mandatory.  Non-compliance with this policy poses a significant risk to the protection of GGC’s information and information resources.

Violations of this policy constitute unacceptable use of computing resources by the campus community. Violations may result in a loss of computing privileges and may subject users to the College’s regular disciplinary processes, up to and including suspension or dismissal from the College. In instances where alleged violations of this policy could result in harm to or otherwise compromise the College’s computing resources, the College reserves the right to immediately suspend computing privileges pending an investigation of the validity of the charges.

In addition, illegal acts involving College computing resources may also subject violators to prosecution by local, state and/or federal authorities. Suspected or known violations must be reported to the appropriate College authority, in accordance with current disciplinary procedures. Violations are processed in accordance with these procedures and/or law enforcement agencies.

Monitoring of these policies is the responsibility of the Office of Educational Technology.

Related Regulations, Statutes, Policies, and Procedures

BOR IT Manual 5.5.1 USG Organizations Responsibilities
BOR IT Manual 5.5.2 Risk Assessment and Analysis
BOR IT Manual 5.5.3 USG Organizations Risk Management Programs
BOR IT Manual 5.5.4 USG Risk Management Requirements
BOR IT Manual 5.5.5 USG Cybersecurity Risk Management Process
ISO 27005 Information Security Risk Management (ISRM)
NIST Special Publication 800-18 (Security Planning)
NIST Special Publication 800-30 (Risk Management)
NIST Special Publication 800-37 (Certification & Accreditation)
NIST Special Publication 800-53 (Recommended Security Controls)
NIST Special Publication 800-53A (Security Control Assessment)
NIST Special Publication 800-59 (National Security Systems)
NIST Special Publication 800-60 (Security Category Mapping)

 

Gramm-Leach-Bliley Act (GLBA) Compliance Program

Number: 11.41
Effective Date: August 2, 2019
Revision History: None
Policy Contact: VP, Educational Technology

Purpose and Policy Statement

The purpose of this policy is to describe how GGC will meet the provisions of the GLBA. To satisfy the privacy and security requirements issued by the Federal Trade Commission’s Privacy of Consumer Financial Information Rule created under the GLBA to drive implementation of GLBA requirements, the College has adopted this policy for highly critical and private financial and related information. This program applies to financial information the College receives and acts on in its business processes which includes confidential financial information as required by GLBA as well as other information the College has voluntarily chosen as a matter of policy  to include within its scope. 

Scope

This policy applies to all members of the college community.  It is applicable to any record containing nonpublic financial information about a student, employee, or other third party who has a relationship with the College that is maintained by or on behalf of the College. Such information can either be in paper or electronic form. This applies to any information a student, employee, or other third party provides in order to obtain financial services from the College, transactional information by a student or employee with the College, and information obtained about a student or employee in connection with providing a service to that person. 

Definitions

Campus community: Includes, but is not limited to, all faculty, administrators, staff (including student workers), students, alumni, interns, members of the Board of Trustees, and members of College-sponsored advisory committees and volunteers.

Customer information: Any nonpublic information about students, employees, and alumni or any other third party engaged in financial transactions with Georgia Gwinnett College, whether in paper or electronic form. Examples include but are not limited to:  

  • Name
  • Home address
  • Home phone number
  • Date/location of birth
  • Driver’s license number
  • Name of spouse or other relatives
  • Citizenship
  • Bank and credit card number
  • Income and credit histories
  • Social Security numbers
  • Students performance evaluations or letters related to performance

Financial assets:  under the GLBA Safeguarding rules include: 

  • Student loans (bank loans and federal loans) 
  • Personal identifiable information: Social Security number (SSN), billing information, credit card information, account balance, citizenship, passport information, tax return information, bank account information, driver’s license number, and date of birth 
  • Disbursement of financial aid 
  • Payment plans 
  • 403(b) loans 
  • Payroll W2s 

Safeguards Rule: Requirement issued by the Federal Trade Commission (FTC) as part of the GLBA implementation that requires organizations under FTC jurisdiction to have regulations in place that protect customer information.

Financial information: Information that the College has obtained from faculty, staff, students, alumni, auxiliary agencies, and patrons in the process of offering a financial service such as financial aid. Examples include bank and credit card account numbers, student financial aid information, student, faculty and staff loans, and income and credit histories.

Covered data: Nonpublic personal information of customers required to be protected under GLBA. In addition to this required coverage, the College chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and Social Security numbers received in the course of business by the College, whether or not such financial information is covered by GLBA. Covered data includes both paper and electronic records.

Nonpublic information: Any personally identifiable financial or other personal information, not otherwise publicly available, that the College has obtained from a customer in the process of offering a financial product or service; such information provided to the College by another financial institution; such information otherwise obtained by the College in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include but are not limited to names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and Social Security numbers, both in paper and electronic form. 

Service provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to GGC.

Roles and Responsibilities

Chief Information Officer (CIO): The Vice President of Educational Technology serves as the CIO and designates or serves as the GLBA Compliance Plan Coordinator and is responsible for campus wide compliance with the GLBA Safeguards Rule through appropriate communication with and coordination among applicable groups. The CIO also designates individuals who have the responsibility and authority for information technology resources.  

Director, Information Security: Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources; establishes reasonable security policies and measures to protect data and systems; monitors and manages system resource usage; investigates problems and alleged violations of the College’s information technology policies; and reports violations to appropriate offices such as the Legal Affairs and Human Resources for resolution or disciplinary action. 

Data Governance Committee: Defines and manages implementation of the policies and procedures for the data governance and management functions. Specific responsibilities include, but are not necessarily limited to the following:

1. Defining data management roles and responsibilities herein and in other policy and procedure documentation;
2. Collecting and maintaining documentation pertaining to data governance and management policy and procedure in a centralized and easy-to-access location for the participant organization staff;
3. Establishing the functional committees needed for execution of policies and procedures;
4. Assisting the chairs of the functional committees to ensure effectiveness.

Deans, department heads, and other managers:  Inform employees about policies and programs that pertain to their work, including those that govern GLBA compliance, and ensure that they successfully complete the required training.

Employees with access to covered data: Abide by the College’s and unit’s policies and procedures governing covered data and report concerns to their supervisor.   

Campus controller: Assists units with setting risk evaluation schedules and processes as requested.  

College auditors:  Review conformance to the GLBA Compliance Plan as part of routine internal audits.

GLBA Compliance Program Coordinator: Implements the Compliance Program by doing the following: 

  • Identifying the offices and departments in the College with access to covered data 
  • Working closely with the identified units to establish control over the covered data 
  • Circulating this  to each department and requesting reassessments based on outcomes of surveys
  • Ensuring completeness of the risk assessment process, and providing security controls to remediate identified risks
  • Verifying that all necessary plans, processes, and procedures are well documented and reviewed appropriately 
  • Making recommendations to be considered during  review 
  • Providing education and training to all employees with access to covered data 
  • Updating the compliance program regularly 
  • Ensuring the documentation and maintenance of the security plan as well as its distribution to the College community. 

Coordination Responsibilities

The Office of the President and every division will appoint a representative who is responsible for the GLBA-covered, nonpublic financial information in that department to work with the GLBA Compliance Program Coordinator. 

Risk Identification and Assessment  

The compliance program identifies reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.  The GLBA Compliance Program Coordinator works with all relevant departments to carry out comprehensive risk assessments and assesses the sufficiency of any safeguards in place to control these risks.  

Risk assessment includes management and operational procedures put in place to ensure security and privacy compliance regarding the covered data. Risk assessments include a consideration of risks to nonpublic information associated with information systems, including network, software, storage, transmission, and disposal technologies, and processes. This process also includes the evaluation of procedures and methods for detecting, preventing, and responding to attacks or other system failures.  The risk assessment and analysis process applies to all methods of handling or disposing of nonpublic information whether in electronic or paper form.

Data Mapping 

As part of the compliance program, the College data and information flows are mapped in order to assess their privacy and security risks. This activity includes: 

  • Understanding the information flow (the transfer of information from one location to another) 
  • Analyzing the information lifecycle to identify: (1) unforeseen or unintended uses of data and (2) possible data collection points that can be eliminated or minimized.  
  • Identifying the key elements of data, including the types of data being processed and how they are categorized, the formats of the data, the modes of transfer, and the locations involved within the data flow. 

Design and Implementation of Safeguards 

On a regular basis, physical and technical safeguards are implemented to control the risks identified in the assessment phase.  Controls and safeguards implemented as a result of the risk assessment process are tested and monitored on a periodic basis. Also, incident response teams and policies are developed to respond to attacks or other system failures. An appropriate level of monitoring is implemented based on the potential impact and probability of the identified risks and the sensitivity of the nonpublic financial information. 

Awareness, Training, and Education 

All College employees are given specific training about the security of sensitive and confidential material used in their respective offices. Employees are informed that they must only access nonpublic information for approved purposes and may only disclose it to authorized persons. The following are requirements for the training of employees: 

  • Training programs are developed by Office of Educational Technology (OET)  in collaboration with the Office of Human Resources to capture the privacy and security requirements for each unit/department 
  • Training covers all formats of customer information, whether electronic or paper-based. 
  • All employees handling covered data or information must complete the GLBA Compliance training course describing their responsibilities. 

Overseeing Service Providers 

The Data Governance Committee is responsible for instituting methods for the selection and retention of third parties with whom it shares covered data. Service providers are required to maintain appropriate safeguards for activities performed on nonpublic customer information. Such activities may include collection activities, transmission of documents, transfer of funds, destruction of documents or equipment, or other similar services.  

Service agreements involving customer information must comply with this policy, including appropriate notification in cases of security breaches. 

Policy Maintenance  

The compliance program is a continuous process of ensuring that the laws, regulations and policies that govern the activities of members of the GGC community are followed. This is reviewed, at a minimum, annually by the CIO and Data Governance committee. The compliance program is reviewed based on: 

  • The outcome of risk identification and assessment activities; 
  • Changes to the business and operation conduct of the College; and 
  • Changes in general information security requirement

Related Regulations, Statutes, Policies, and Procedures

Gramm-Leach-Bliley Act
FTC: Final Rule–Standards for Safeguarding Customer Information (16 CFR Part 314)
FTC: Final Rule–Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Data–Complying with the Safeguards Rule
 Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Trade Commission Red Flags Rule
General Data Protection Regulation (GDPR)
APM 11.38 Privacy
APM 7.15 Risk Management

 

11.50 Information Technology Institutional Policies and Standards

Reviewed May 26, 2016

11.50.1 Appropriate Use

Reviewed May 26, 2016

11.50.1.1 Acceptable Use of Information Technology Resources

Reviewed May 26, 2016

General

Georgia Gwinnett College provides access to computing resources for students, faculty, staff, and other authorized users. The computing resources of Georgia Gwinnett College, including facilities, hardware, software, networks, and computer accounts, are the property of the State of Georgia. The use of these resources is a privilege granted by Georgia Gwinnett College to authorized users only. Georgia Gwinnett College requires that its computing resources be used responsibly by all authorized users and in compliance with all state and federal laws, contractual and license agreements, and all policies of Georgia Gwinnett College and the Board of Regents of the University System of Georgia. Authorized users of the College’s computing resources must act responsibly to maintain the integrity and security of these resources.

Rights and Responsibilities

The Acceptable Use of Information Technology Resources policy is a complement to relevant laws and policies intended to define acceptable and unacceptable computer use practices at Georgia Gwinnett College (GGC), to promote an understanding of responsible usage of College computing resources, and to protect and conserve those resources. This policy does not supersede any relevant State or Federal laws pertaining to the use of information technology, nor policies of the University System of Georgia. GGC does not provide a warranty, either expressly or implied, for the information technology services provided. The College reserves the right to limit a computer user’s session or access if there are insufficient resources, and to cancel, restart, or hold a job, process, or program to protect or improve system performance and security if necessary.

Authorized users include: current faculty, staff, and students of Georgia Gwinnett College; any person connecting to a public information service housed on an information technology resource; and others whose access furthers the mission of the College and whose usage does not interfere with other users’ access to information technology resources. Each user of an information technology resource must be specifically authorized to use that particular resource by the college unit responsible for maintaining and operating the resource.

Authorized users are responsible for all of their activities using information technology services and will respect the intended use of such services. Individuals misusing the College’s computing resources in violation of federal and state laws, Board of Regents and College policies including this policy are subject to disciplinary actions by the College including suspension of access and forfeiture of computer privileges. In the event that use or misuse of Georgia Gwinnett College’s information technology resources threatens to compromise the security or integrity of data or services, the Chief Information Officer, or his designee, may restrict or terminate user access to GGC resources pending investigation.

Users of College information technology resources have no guarantee of the privacy of materials stored on or transmitted through those resources. The College reserves the right to access any of its technology resources when federal or state laws or College policies may have been violated or where College contractual obligations or operations may be impeded or when deemed in the best interest of the College. Authorized users should not store confidential information within the College systems without protecting it appropriately. The College cannot and will not guarantee the privacy or confidentiality of computer files, electronic mail, or other information stored or transmitted by its computers. All computer usage on Georgia Gwinnett College information technology resources and network facilities is subject to the provisions of the Georgia Open Records Act, O.C.G.A. §§ 50-18-70 et seq.

System and network administrators will perform their duties fairly, in cooperation with the Georgia Gwinnett College community, their administrative supervisors, college policies, and funding resources. System and network administrators will respect the privacy of others to the extent allowed by law and College policy, but may monitor and inspect system and network activity in direct support of their duties. In the performance of their duties, should they discover inappropriate activity, they will refer matters to appropriate authorities for review and appropriate action.

Examples of Misuse of Information Technology Resources

  1. attempting to defeat or circumvent any security measures, controls, accounts, or record-keeping systems;
  2. allowing any GGC-provided account or access to be used by another person, regardless of their association with the College;
  3. making use of any GGC-provided account or access which was granted to another;
  4. accessing any College information technology system without explicit permission;
  5. misrepresenting a person’s identity or relationship to the College when obtaining or using computer or network privileges;
  6. intentionally altering, misappropriating, dismantling, disfiguring, disabling, or destroying any computing resource, information technology, data or services;
  7. intentionally interfering with the proper operation of any computing resource, information technology, data or services;
  8. using information technology services for workplace violence of any kind;
  9. using information technology services for unlawful purposes including fraudulent, threatening, defamatory, harassing, or obscene communications;
  10. invading the privacy rights of anyone;
  11. disclosing student records in violation of FERPA;
  12. violating copyright laws including the Digital Millennium Copyright Act. (Copying, installing, distributing, infringing, or otherwise using any software, data files, images, text, or other materials in violation of copyrights, trademarks, service marks patents, other intellectual property rights, contracts, or license agreements is prohibited. All usage of computing resources shall be in compliance with federal and state copyright laws and in full conformance with the Regents Guide to Understanding Copyright and Fair Use.)
Disciplinary Actions

Use of College information technology resources in violation of applicable laws or policy may result in sanctions, including withdrawal of use privilege; disciplinary action, up to and including, expulsion from the College or discharge from a position; and legal prosecution under applicable federal and/or state law. Some violations may constitute criminal offenses; the College will carry out its responsibility to report such violations to the appropriate authorities.

11.50.1.2 Internet Acceptable Use Policy

Reviewed May 26, 2016

Violation of this policy can result in disciplinary action or referral to law enforcement.

Georgia Gwinnett College obtains Internet access from PeachNet®. As such, the PeachNet® Acceptable Use Policy directly applies to Georgia Gwinnett College.

PeachNet® exists for the dual purpose of transmitting and sharing information among the individual units of the University System and transmitting and sharing information between the units of the University System and external organizations that provide benefit to or derive benefit from any of the University System’s units.

PeachNet® users may engage in communications related to University System and contracting entity programs and services. Commercial traffic related to the operation of the University System-or any other educational entity-with a commercial entity is acceptable. Commercial traffic is acceptable on a commodity network when in direct support of research and instruction. Other networks may have special usage policies, which may be obtained from those network providers.

PeachNet® must adhere to its contractual obligations and to the acceptable use policies of their Internet service providers in order to maintain Internet connectivity. Therefore, individual PeachNet® sites may be subject to loss of service if violations of acceptable use are not addressed promptly.

The ITS does not own or control all of the various facilities and communications lines through which network access is provided. Every effort is made to ensure continuous service among PeachNet® locations. Connections to outside networks, however, are subject to interruption beyond control of the ITS, and provisions should be made for a backup connection when relying on the Internet for services. PeachNet® reserves the right to shut down the system in the event of network attack.

Illegal use

PeachNet® users must obey federal and state and local law and the policies of the University System (Board of Regents) and the regulations of the nationwide and worldwide networks to which its computers are connected. PeachNet® may be used only for lawful purposes. Transmission, distribution, or storage of any material in violation of any applicable law or regulation is prohibited. This includes, without limitation, material protected by copyright, trademark, trade secret, or other intellectual property right used without proper authorization, and material that is obscene, defamatory, constitutes an illegal threat, or violates export control laws.

System and network security

Violations of system or network security are prohibited, and may result in criminal and civil liability. PeachNet® can investigate incidents involving such violations and may involve and will cooperate with law enforcement if a criminal violation is suspected. Such investigations may require the examination of electronic information stored on or passing over PeachNet®. Examples of system or network security violations include, without limitation, the following:

  • Unauthorized access to or use of data, systems, or networks, including any attempt to probe, scan, or test the vulnerability of a system or network or to breach or circumvent the security or authentication measures without express authorization of the owner of the system or network
  • Unauthorized monitoring of data or traffic on any network or system without express authorization of the owner of the system or network
  • Interference with service to any user, host, or network including, without limitation, mail-bombing, flooding, deliberate attempts to overload a system, and broadcast attacks
  • Forging of any TCP-IP packet header or any part of the header information in an email or a newsgroup posting
E-mail

Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited. A user shall not use another site’s mail server to relay mail without the express permission of the site.

File sharing

Peer-to-peer file sharing (hereafter “file sharing”) is prohibited on all GGC information technology resources including wired and wireless networks, computers, servers, and mobile devices. File sharing is prohibited regardless of the legal status of the material being shared. This is necessary in order to mitigate the negative effects of heavy utilization on other College users. Exceptions will be made to this policy if and only if all of the following are true:

  1. The sharing is approved by the Vice President for Educational Technology or delegate prior to occurring.
  2. The material being acquired is not otherwise prohibited by law or policy.
  3. The material is being used specifically to further the mission of Georgia Gwinnett College.
  4. File sharing is halted once the material has been acquired in its entirety.

In addition to the PeachNet® acceptable use policy, use of the internet is also fully subject to APM 11.50.1.1 Acceptable Use of Information Technology Resources.

11.50.2 GGC Information Security

Reviewed May 26, 2016

Georgia Gwinnett College recognizes that the information created, stored, and transmitted using our information technology systems are critical to its very existence. It is thus necessary to protect this information from unauthorized disclosure, modification, damage, and loss. The degree of protection is dependent upon the particular information and the use(s) to which it is put within the College. The Office of Educational Technology is responsible for developing and implementing policies and practices which ensure the continued availability, confidentiality, and integrity of such information.

Guided by the University System of Georgia Board of Regents Information Security Policy (http://www.usg.edu/policymanual/section11/policy/11.3_information_security_policy), Georgia Gwinnett College has developed and implemented such standards, policies, and practices as are needed to assure that the College’s information remains secure, as outlined in this section.

11.50.2.1 Data Usage

Reviewed May 26, 2016

The normal conduct of college business requires the use of data. Georgia Gwinnett College employees are expected to comply with all applicable rules and laws concerning sensitive or confidential information, as outlined in APM 10.8 Data Classification  and Management and in the GGC Data Confidentiality Agreement. Users should not access data other than unrestricted data without having submitted a “GGC Data Confidentiality Agreement “

Related documents:

APM 10.8 Data Management and Classification 
• GGC Data Confidentiality Agreement
• APM 11.50.2 Information Security Risk Management.

11.50.2.2 Password Policy

Reviewed May 26, 2016

Purpose

Passwords are a critical part of information and network security. Passwords serve to protect user accounts, but a poorly chosen password, if compromised, could put the entire network at risk. As a result, all employees of Georgia Gwinnett College are required to take appropriate steps to ensure that they create strong, secure passwords and keep them safeguarded at all times.

Scope

This policy applies to all employees, students, and any other account holders of Georgia Gwinnett College who have or are responsible for a computer account, or any form of access that supports or requires a password, on any system that resides at any Georgia Gwinnett College facility, has access to the Georgia Gwinnett College network, or stores any confidential Georgia Gwinnett College information. This policy shall not apply to mobile devices, provided that they are secured by a PIN or equivalent form of security as determined by the Vice President for Educational Technology.

All users should ensure their password adheres to the current password standard as published on the infosec wiki.

In addition to the standard referenced above, all GGC account holders must ensure that:

  1. Passwords are treated as confidential information. No employee is to give, tell, or hint at their password to another person, including Information Security staff, administrators, superiors, other co-workers, friends, and family members, under any circumstances.
  2. If someone demands your password, refer him or her to this policy or have them contact the Information Security Office.
Enforcement

Any employee, student, or other account holder who is found to have violated this policy may be subject to disciplinary action, up to and including termination of system and network access and/or criminal prosecution.

The Information Security Office may attempt to crack or guess users’ passwords as part of its ongoing security vulnerability auditing process. If a password is cracked or guessed during one of these audits, the user will be required to change his or her password immediately.

11.50.2.3 Electronic Mail Privacy Statement

Reviewed May 26, 2016

Though the privacy and security of all email messages is important, Georgia Gwinnett College cannot guarantee that individual e-mail messages are private or secure. Authorized system administrators and/or network services staff may have access to or be required to examine e-mail messages under the following circumstances:

  1. In order to support e-mail, system administration personnel routinely monitor e-mail delivery. Undeliverable e-mail, because of incorrect addressing and/or unknown users, may be returned to the system postmaster for delivery resolution. To determine why the message was not delivered, the system postmaster must, at a minimum, read the header containing crucial information as to whom and where the e-mail was being sent. The text of the message is also open to view. Monitoring may also occur in the course of addressing security issues.
  2. The system postmaster may attempt to direct mail appropriately; however, there is no guarantee that mail can or will be delivered. If delivery is considered critical, users may want to use the return receipt option in their mailer client software package. This function requires the cooperation of the target mail system and does not work in all cases.
    Users themselves can minimize occurrences of undeliverable e-mail by careful addressing. However, hardware and software problems can sometimes direct e-mail to an inadvertent or inappropriate address.
  3. Networks require monitoring for standard maintenance and problem resolution, capacity planning, and product testing. In the course of monitoring, electronic mail messages could be part of information packets moving across the network and could be viewed by personnel performing job-related assignments.
  4. In case of suspected misconduct and under the specific direction and request of Human Resources or Student Conduct Office (or Campus Police regardless of status), Information Security Administrators may access e-mail to obtain information relevant to the investigation.

Overall, individuals should consider e-mail as an inappropriate vehicle for the transmission of extremely personal and/or confidential information.

Georgia Gwinnett College’s e-mail services are the property of the people of the State of Georgia, and as such, are subject to the Georgia Open Records Act.

Unless explicitly encrypted by the sender, e-mail may traverse the Internet in clear text format. The College cannot control what servers or systems the e-mail will go thru before reaching its final destination.

11.50.2.4 Firewall Policy

Reviewed May 26, 2016

Purpose

Georgia Gwinnett College operates firewalls in order to create a secure environment for the College’s computing and network resources. A firewall is just one element of a layered approach to network security. The purpose of this policy is to describe the operating principles the College uses to filter IP traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for legitimate users.

Scope

This policy refers to firewalls operated by the College. The role of these firewalls is to control traffic between networks with different levels of trust, data classifications, and security controls GGC’s networks, and the Internet. The firewalls will (at minimum) perform the following security services:

  • Access control between the trusted internal network and untrusted external networks.
  • Block unwanted traffic as determined by the firewall rule set.
  • Hide vulnerable internal systems from the Internet.
  • Log traffic to and from the internal network.

All employees, students, and contractors of Georgia Gwinnett College are subject to this policy and required to abide by it.

Responsibilities

The Office of Educational Technology (OET) is responsible for implementing and maintaining the College’s firewalls, as well as for enforcing and updating this policy. Password construction for the firewalls will be consistent with the strong password creation practices outlined in Georgia Gwinnett College’s password policy.

Policy

For the perimeter firewall that protects GGC networks from the Internet, the approach adopted to define the firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. The perimeter firewalls permit the following outbound and inbound Internet traffic.

  • Outbound - All Internet traffic to hosts and services outside of Georgia Gwinnett College. Traffic that is not directly related to the educational function of GGC may be blocked permanently on a case by case basis.
  • Inbound - Only Internet traffic from outside Georgia Gwinnett College that supports the mission of Georgia Gwinnett College.

For internal firewalls that offer additional protection for GGC information, a general philosophy of least privilege will be applied to balance security with operational needs. Firewalls are just one of the security layers employed to protect systems and data. The firewalls ruleset will be assessed within the context of a risk assessment that takes into consideration both threats and other security controls in place.

Operational Procedures
  • Georgia Gwinnett College employees may request changes to the perimeter firewall’s configuration in order to allow previously disallowed traffic. Such requests should be routed through the helpdesk and include justification and a description of business need. Approval is not guaranteed as the associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored. OET will periodically review current perimeter firewall rules and may alter rules based on new threat and security controls to maintain security.
  • OET staff will manage rules sets on other firewalls based on security risks and business needs.
  • Georgia Gwinnett College employees may request access from the Internet for services located on the internal Georgia Gwinnett College network. Typically, this remote access is handled via a secure, encrypted virtual private network (VPN) connection.
  • From time to time, outside vendors, contractors, or other entities may require secure, short-term, remote access to Georgia Gwinnett College’s internal network. If such a need arises, a third-party access request form, with full justification, must be submitted to the InfoSec department for approval. Approval is not guaranteed.
  • Turnaround time for simple firewall reconfiguration and network access requests is approximately two days from the receipt of the request form. More complex changes may take additional time.
  • Firewall logs will be kept for 30 days. Firewall logs will be reviewed as needed.
Enforcement

Wherever possible, technological tools will be used to enforce this policy and mitigate security risks. Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

11.50.3 Continuity of Operations Plan Policy

Reviewed May 26, 2016

Summary

Digital information is a critical asset for Georgia Gwinnett College (GGC). Of particular concern are our three core data systems: our student information system (SIS), our human resources management system (HR), and our learning management system (LMS). Our SIS and HR systems are hosted services from the Office Information Technology Services (ITS). The hosting site is located in Watkinsville, Georgia, with backup and redundancy housed in Athens, Georgia, at the University of Georgia. Details of the hosting, backup, recovery, and disaster plans are found in the included documents for each of these core data applications. Our primary LMS, is hosted off-site with a service level agreement for hosting, backup, recovery and disaster plans, found in the vendor documents.

The GGC contacts for an emergency affecting these data services are the Vice President for Educational Technology and the Associate Vice President for Educational Technology.

Emergency contact information as of May 2016

  • Davide Gaetano 404-702-4547

To contact ITS to report an emergency production issue, call 1.888.875.3697 (toll free within Georgia) or 706.583.2000.

Rules and regulations of Georgia Gwinnett College, as stated in the APM 11.50.1.1 Acceptable Use of Information Technology policy, are to be followed. Violators may be forbidden future use of GGC computing facilities and/or recommended for disciplinary action.

Computer users must produce identification if requested to by College personnel, including any student employee on duty in a computing facility.

Facilities Use

Please see APM 9.51 Georgia Gwinnett College Library Facility Use Policy .

11.50.4 GGC Payment Card Industry Policy

Reviewed May 26, 2016

Purpose:

The purpose of this policy is to help assure that GGC is being a good steward of personal information and complies with the Payment Card Industry Data Security Standards. Failure to comply with PCI-DSS standards poses a serious threat to business functions of Georgia Gwinnett College.

Policy:

The Vice President for Educational Technology (VPET) or delegates must approve all credit/debit card processing at Georgia Gwinnett College. This requirement applies regardless of the transaction method (e-commerce, POS device, or outsourced to third party).

All technology implementation associated with credit/debit card processing must be in accordance with PCI-DSS requirements, Board of Regents policies and approved by the VPET or delegate prior to entering into any contracts or purchasing of software and/or equipment.

Sensitive cardholder data should not be stored on GGC systems. Credit Card point of sale receipts should follow PCI-DSS standards for storage and retention.

Any compromise of card holder data must be reported to the VPET immediately upon discovery.

 

11.60 Electronic and Information Technology Accessibility Policy

Reviewed May 26, 2016

Georgia Gwinnett College is committed to accessibility, in compliance with the Americans with Disabilities Act (ADA) and Section 508 of the Rehabilitation Act Amendments of 1998 (508). The Board of Regents of the University System of Georgia (USG) has determined that all institutions under the Board of Regents fall within the scope of Section 508.

11.60.1 Web Accessibility

Reviewed May 26, 2016

GGC is committed to accessibility in its Web content. Web accessibility refers to how easily people of all abilities and disabilities can navigate and interact with websites. Disabilities may be physical, visual, auditory or cognitive. People with disabilities often use assistive technologies (such as modified mice and keyboards, screen readers and screen magnifiers) to help them navigate the web. Websites are “accessible” when they are easy for people to navigate and understand, support web accessibility standards, and are compatible with assistive technologies.

The Georgia Gwinnett College public website and My.ggc portal both follow accessibility guidelines established by the Board of Regents (BOR) policy in alignment with federal law. The BOR currently requires Section 508 compliance and endorses WCAG 2.0 (Level A and AA) guidelines. See the University System of Georgia’s Accessibility website at http://www.usg.edu/siteinfo/accessibility. Content supplied for posting on GGC sites should be submitted in accessible form. It is the responsibility of the original document-creators to address accessibility issues. GGC maintains information about creating accessible documents on the MyGGC portal for the benefit of faculty and staff.

However, many of the resources linked from the College’s website are not maintained by GGC. GGC is unable to monitor all linked resources; it is able to modify only those pages which fall directly within its web structure of the public website and the MyGGC portal. GGC-developed web applications). GGC cannot be responsible for the content or accessibility of linked resources beyond the control of the institution.

See Apm 10.2.4.3.3 Accessibility  

11.60.2 Procurement of Electronic And Information Technology

Reviewed May 26, 2016

GGC is committed to accessibility in its electronic and information technology purchases, in compliance with the Americans with Disabilities Act (ADA) and Section 508 of the Rehabilitation Act Amendments of 1998 (508). The Board of Regents of the University System of Georgia (USG) has determined that all institutions under the Board of Regents fall within the scope of Section 508.

Requests for open market purchases will be reviewed with these guidelines in mind. Vendors will be requested to provide a statement of 508 compliance and a Voluntary Product Accessibility Template (VPAT). If the vendor does not offer a compliant product, market alternatives must be explored.

GGC does allow for the procurement of non-compliant products when no equivalent alternative can be procured. However, if a vendor product is not yet accessible, GGC will request that accessibility be added to the product’s developmental roadmap.

In addition, all departments at GGC are required to understand that if a product is not accessible, the department will be responsible for accommodating anyone who needs to use it and cannot do so. An accommodation plan must be in place if the department chooses a product that does not comply or only partially complies with accessibility guidelines.

 

11.90 GGC Library Computer Use Policies

Reviewed May 26, 2016

Open computing in the GGC Library is for the use of GGC students, faculty, and staff. Members of the general public may use the Public Access Catalogs.

Open Computers are reserved for the following activities, in order of priority

  • Research or locating Library material
  • Using my.GGC or D2L
  • Working on assignments
  • Accessing multimedia applications relevant to scholarly research And, provided there are computers available,
  • Personal e-mail, entertainment and social networking.

The following activities are supported

  • Research activities, including Internet access
  • Saving files to external media
  • Viewing reference or reserve material
  • Viewing multimedia materials with Windows Media Player and Quick Time. Other video viewers are not supported

The following activities are forbidden

  • Running commands
  • Reconfiguring existing software
  • Deleting software
  • Installing new software, including games
  • Viewing sexually explicit materials, unless it is verifiably part of an assignment, including on personal computing devices.
  • Viewing graphically violent materials, unless it is verifiably part of an assignment, including on personal computing devices.
  • Playing graphically violent and sexually explicit games, including on personal computing devices
  • Gambling, including on personal computing devices

Other Guidelines

  • Audio must be listened to through headphones rather than computer speakers.
  • Use of the instructor’s audiovisual system by students is prohibited unless the students are part of a class arranged by a faculty member.
  • Lights in computing facilities managed by the Library must remain turned on at all times, with the following exceptions:
    • In study rooms
    • If a faculty member, as part of an arranged class, needs them turned off
  • Doors to computing facilities managed by the Library must remain open at all times during operational hours, with the following exceptions:
    • In study rooms
    • If a faculty member, as part of an arranged class, needs them closed
  • Children and young adults under the age of 17 may not use GGC Library computing facilities unless they are enrolled at GGC.
  • Eating is not allowed at the computers.

Note: Activities not included in this list may be deemed inappropriate by the Librarian or Help Desk Assistant on duty, and users may be asked to stop engaging in such activity. Violators may be forbidden future use of GGC Library computing facilities and/or recommended for disciplinary action.

Printing

Printing in the open computing areas is managed by a print management system. Students must maintain a cash balance on their Cave Cash accounts and must use their Claw Cards to release print jobs. The cost to print is 10 cents per page for one-sided printing, and 17 cents for two-sided printing. Color printing is available in the Main Library Information Commons only, and the cost is 25 cents for the first side and 15 cents for the second side. GGC Faculty/Staff and non-GGC patrons do not have the ability to print materials in the Library. There is no printing available from the Public Access Catalogs. Materials may be saved to flash drives.

Headphones

Students must supply their own headphones. Headphones are available for sale in the Book Store, located in the Student Center.

Copyright

The user is responsible for any and all copyright violations that may be committed through the use of Library or Information Commons computers. Intentional violation of copyright law is not permitted. For more information, refer to the U.S. Copyright Act of 1976, Title 17, U.S. Code and the University System of Georgia’s Board of Regents policy.

Enforcement

Rules and regulations of Georgia Gwinnett College, as stated in the Instructional Technology Acceptable Use statement, are to be followed. Violators may be forbidden future use of GGC computing facilities and/or recommended for disciplinary action.

Computer users must produce identification if requested to by College personnel, including any student employee on duty in a computing facility.

Facilities Use

Please see APM 9.51 Georgia Gwinnett College Library Facilities Policy.

 

11.91 Lost, Stolen, Or Damaged Equipment

Reviewed May 26, 2016

The primary purpose of college-provided equipment is to support the instructional and business needs of Georgia Gwinnett College. Faculty and staff are expected to treat such equipment with appropriate care.

11.91.1 Lost or Stolen Equipment

Reviewed May 26, 2016

If college-owned computer equipment or accessories are lost or stolen, the missing equipment must be reported immediately to (1) Educational Technology Services through User Support, (2) appropriate on-campus or off-campus police authorities, and (3) the user’s school or department. If the employee was traveling, local authorities should be contacted as well.

OET will order replacements if required, and will notify the employee’s school or department, which will be charged for the replacement. In instances where an employee’s actions were a contributing cause to the loss or theft, the reporting unit may request the College to seek reimbursement from the employee. Loaner equipment may be available for a limited time until replacements are received, for a period not to exceed three months.

11.91.2 Damage

Reviewed May 26, 2016

If college-owned computer equipment has sustained damage or wear beyond normal use, or is missing components (for example, a keyboard or extension cord), it should be reported immediately to (1) Educational Technology Services through User Support and (2) the employee’s school or department.

If the damage is not covered under warranty, the employee’s department will be charged for the repair or replacement. In instances where an employee’s actions were a contributing cause to the damage, the reporting unit may request the College to seek reimbursement from the employee. . Loaner equipment may be available for a limited time until replacements are received, for a period not to exceed three months.

11.91.3 Funding Replacements for Lost, Stolen, Or Damaged Equipment

Reviewed May 26, 2016

Replacement costs for lost, stolen, or damaged equipment will consist of

  • Full replacement costs of the equipment or accessory component if the item is beyond repair.
  • All parts and any external labor charges for items that can be repaired.

Costs not covered by warranty will be charged to the employee’s school or department. In instances where an employee’s actions were a contributing cause to the loss, theft or damage the reporting unit may request the College to seek reimbursement from the employee.