Information Technology CompliancePolicy Number: 11.1
Effective Date: February 16, 2023
Revision History: None
Policy Contact: Vice President for Information Technology
I. Purpose and Policy Statement
As a member of the University System of Georgia (“USG”), Georgia Gwinnett College (“GGC”) complies with the information technology (“IT”) and cybersecurity requirements and recommendations documented in the USG IT Handbook. When beneficial, GGC develops College-specific policies and procedures to supplement the content in the IT Handbook and other USG publications.
II. Scope
This policy applies to all members of the campus community. The campus community includes all faculty, administrators, staff including student workers, students, alumni, interns, and volunteers as well as members of the Board of Trustees, College-sponsored advisory committees, visitors, vendors, and other service providers.
III. Definitions
Information Technology: Information Technology includes all computer hardware, software, and services used to conduct the business of GGC. Scope includes physical and virtual technologies as well as those located on premise and in the cloud.
IV. Roles and Responsibilities
The office of Information Technology provides leadership, creates awareness, and delivers technology services and support for the GGC community. When possible, GGC IT implements technical controls to facilitate compliance with policies and procedures.
All community members are responsible for complying with technology policies, standards, and procedures.
V. Compliance
Individuals found to be in violation of this policy may be subject to disciplinary or legal action.
VI. Related Regulations, Statues, Policies, and Procedures
USG IT Handbook
USG Business Procedures Manual
Technology Project AuthorizationPolicy Number: 11.2
Effective Date: February 16, 2023
Revision History: None
Policy Contact: Informational Technology Project Manager
I. Purpose and Policy Statement
Georgia Gwinnett College Information Technology (“IT”) is committed to leading and guiding a unified campus technology strategy. This strategy is guided by the GGC Operating Principles and adoption and use of technology industry standards and best practices. GGC IT manages all projects using Project Management Institute (“PMI”) standards in combination with the USG IT Handbook Section 2.2 Project Administration.
II. Scope
This policy applies to all funded and non-funded IT projects conducted within the Information Technology department at Georgia Gwinnett College.
III. Definitions
Project(s): Projects are defined by the following criteria:
- A temporary endeavor with a beginning and an end that creates a unique deliverable.
- Progressive elaboration through the project management lifecycle.
- Participation by more than one individual or team of individuals.
IV. Requirements
Any project initiated by a campus unit that may need IT services should consult with the Information Technology office during the project planning phase. GGC campus units can request a consultation or project management assistance by utilizing the project request link located in the GGC IT Services catalog. The requesting campus unit will assist with project scoping as well as providing resources and budget for their request.
As part of the project authorization process, procurement efforts are required to follow all USG policies and standards as provided in the Board of Regents Policy Manual Section 7.7 and the USG Business Procedures Manual Section 3.0.
V. Related Regulations, Statutes, Policies, and Procedures
USG IT Handbook Section 2.2 Project Administration
Board of Regents Policy Manual Section 7.7
USG Business Procedures Manual Section 3.0
Information Technology Risk AssessmentPolicy Number: 11.23
Effective Date: March 14, 2023
Revision History: None
Policy Contact: Information Security Officer
I. Purpose and Policy Statement
The purpose of this policy is to facilitate compliance with applicable federal and state laws and regulations as well as University System of Georgia (“USG”) policies and recommendations to protect the confidentiality and integrity of Georgia Gwinnett College (“GGC”)’s information technology (“IT”) resources and enable leaders to make informed decisions regarding risk tolerance and acceptance.
The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments including vulnerability scans to identify vulnerabilities and to initiate appropriate remediation. GGC uses formal Information Security Risk Management (“ISRM”) programs based on National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-30 and its latest version(s) to identify risks and implement plans to address and manage them. The Information Security Officer is responsible for managing the ISRM and coordinating the development and maintenance of program policies, procedures, standards, and reports in collaboration with appropriate leaders and stakeholders.
The ISRM program is based on risk assessment and developed in consideration of GGC priorities, staffing, and budgets. Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the College. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks. The risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the calculated risks against risk criteria to determine the significance of the risks (risk evaluation).
Risk assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts, risk evaluation, and data classification). Risk assessments are to be systematic and capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope to be effective and should include coordination with risk assessments in other areas, if appropriate.
II. Scope
Scope includes all GGC IT resources used on or off campus and all users of GGC IT resources, including but not limited to faculty, administrators, staff including student workers, students, visitors, vendors, and other service providers.
III. Definitions
Information Technology Resource: Any hardware, software, service, system, or database used in support of College activities. This includes systems and applications hosted on premise or in the cloud and applications created by the College.
Control: A process or procedure to reduce risk.
Inherent Risk: The level of risk before Risk Treatments (controls) are applied.
Information Security Risk Management (ISRM): A program that consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning.
Residual Risk: Level of risk that remains after Risk Treatments (controls) are applied to a given Risk.
Risk: The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.
Risk Management: The ongoing management process of assessing risks and implementing plans to address them.
Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.
Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate), and retention (acceptance).
IV. Roles and Responsibilities
- The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments to identify areas of vulnerability and to initiate appropriate remediation.
- All community members are responsible for compliance with technology policies, standards, and procedures and awareness of risk management and remediation controls used to prevent or detect vulnerabilities and unauthorized use or access.
V. Related Regulations, Statutes, Policies, and Procedures
USG IT Handbook
USG Business Procedures Manual
National Institute of Standards and Technology (NIST) Special Publication 800-53
Gramm-Leach-Bliley Act (GLBA) Compliance ProgramNumber: 11.41
Effective Date: August 2, 2019
Revision History: None
Policy Contact: VP, Educational Technology
Purpose and Policy Statement
The purpose of this policy is to describe how GGC will meet the provisions of the GLBA. To satisfy the privacy and security requirements issued by the Federal Trade Commission’s Privacy of Consumer Financial Information Rule created under the GLBA to drive implementation of GLBA requirements, the College has adopted this policy for highly critical and private financial and related information. This program applies to financial information the College receives and acts on in its business processes which includes confidential financial information as required by GLBA as well as other information the College has voluntarily chosen as a matter of policy to include within its scope.
Scope
This policy applies to all members of the college community. It is applicable to any record containing nonpublic financial information about a student, employee, or other third party who has a relationship with the College that is maintained by or on behalf of the College. Such information can either be in paper or electronic form. This applies to any information a student, employee, or other third party provides in order to obtain financial services from the College, transactional information by a student or employee with the College, and information obtained about a student or employee in connection with providing a service to that person.
Definitions
Campus community: Includes, but is not limited to, all faculty, administrators, staff (including student workers), students, alumni, interns, members of the Board of Trustees, and members of College-sponsored advisory committees and volunteers.
Customer information: Any nonpublic information about students, employees, and alumni or any other third party engaged in financial transactions with Georgia Gwinnett College, whether in paper or electronic form. Examples include but are not limited to:
- Name
- Home address
- Home phone number
- Date/location of birth
- Driver’s license number
- Name of spouse or other relatives
- Citizenship
- Bank and credit card number
- Income and credit histories
- Social Security numbers
- Students performance evaluations or letters related to performance
Financial assets: under the GLBA Safeguarding rules include:
- Student loans (bank loans and federal loans)
- Personal identifiable information: Social Security number (SSN), billing information, credit card information, account balance, citizenship, passport information, tax return information, bank account information, driver’s license number, and date of birth
- Disbursement of financial aid
- Payment plans
- 403(b) loans
- Payroll W2s
Safeguards Rule: Requirement issued by the Federal Trade Commission (FTC) as part of the GLBA implementation that requires organizations under FTC jurisdiction to have regulations in place that protect customer information.
Financial information: Information that the College has obtained from faculty, staff, students, alumni, auxiliary agencies, and patrons in the process of offering a financial service such as financial aid. Examples include bank and credit card account numbers, student financial aid information, student, faculty and staff loans, and income and credit histories.
Covered data: Nonpublic personal information of customers required to be protected under GLBA. In addition to this required coverage, the College chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and Social Security numbers received in the course of business by the College, whether or not such financial information is covered by GLBA. Covered data includes both paper and electronic records.
Nonpublic information: Any personally identifiable financial or other personal information, not otherwise publicly available, that the College has obtained from a customer in the process of offering a financial product or service; such information provided to the College by another financial institution; such information otherwise obtained by the College in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include but are not limited to names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and Social Security numbers, both in paper and electronic form.
Service provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to GGC.
Roles and Responsibilities
Chief Information Officer (CIO): The Vice President of Educational Technology serves as the CIO and designates or serves as the GLBA Compliance Plan Coordinator and is responsible for campus wide compliance with the GLBA Safeguards Rule through appropriate communication with and coordination among applicable groups. The CIO also designates individuals who have the responsibility and authority for information technology resources.
Director, Information Security: Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources; establishes reasonable security policies and measures to protect data and systems; monitors and manages system resource usage; investigates problems and alleged violations of the College’s information technology policies; and reports violations to appropriate offices such as the Legal Affairs and Human Resources for resolution or disciplinary action.
Data Governance Committee: Defines and manages implementation of the policies and procedures for the data governance and management functions. Specific responsibilities include, but are not necessarily limited to the following:
1. Defining data management roles and responsibilities herein and in other policy and procedure documentation;
2. Collecting and maintaining documentation pertaining to data governance and management policy and procedure in a centralized and easy-to-access location for the participant organization staff;
3. Establishing the functional committees needed for execution of policies and procedures;
4. Assisting the chairs of the functional committees to ensure effectiveness.
Deans, department heads, and other managers: Inform employees about policies and programs that pertain to their work, including those that govern GLBA compliance, and ensure that they successfully complete the required training.
Employees with access to covered data: Abide by the College’s and unit’s policies and procedures governing covered data and report concerns to their supervisor.
Campus controller: Assists units with setting risk evaluation schedules and processes as requested.
College auditors: Review conformance to the GLBA Compliance Plan as part of routine internal audits.
GLBA Compliance Program Coordinator: Implements the Compliance Program by doing the following:
- Identifying the offices and departments in the College with access to covered data
- Working closely with the identified units to establish control over the covered data
- Circulating this to each department and requesting reassessments based on outcomes of surveys
- Ensuring completeness of the risk assessment process, and providing security controls to remediate identified risks
- Verifying that all necessary plans, processes, and procedures are well documented and reviewed appropriately
- Making recommendations to be considered during review
- Providing education and training to all employees with access to covered data
- Updating the compliance program regularly
- Ensuring the documentation and maintenance of the security plan as well as its distribution to the College community.
Coordination Responsibilities
The Office of the President and every division will appoint a representative who is responsible for the GLBA-covered, nonpublic financial information in that department to work with the GLBA Compliance Program Coordinator.
Risk Identification and Assessment
The compliance program identifies reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. The GLBA Compliance Program Coordinator works with all relevant departments to carry out comprehensive risk assessments and assesses the sufficiency of any safeguards in place to control these risks.
Risk assessment includes management and operational procedures put in place to ensure security and privacy compliance regarding the covered data. Risk assessments include a consideration of risks to nonpublic information associated with information systems, including network, software, storage, transmission, and disposal technologies, and processes. This process also includes the evaluation of procedures and methods for detecting, preventing, and responding to attacks or other system failures. The risk assessment and analysis process applies to all methods of handling or disposing of nonpublic information whether in electronic or paper form.
Data Mapping
As part of the compliance program, the College data and information flows are mapped in order to assess their privacy and security risks. This activity includes:
- Understanding the information flow (the transfer of information from one location to another)
- Analyzing the information lifecycle to identify: (1) unforeseen or unintended uses of data and (2) possible data collection points that can be eliminated or minimized.
- Identifying the key elements of data, including the types of data being processed and how they are categorized, the formats of the data, the modes of transfer, and the locations involved within the data flow.
Design and Implementation of Safeguards
On a regular basis, physical and technical safeguards are implemented to control the risks identified in the assessment phase. Controls and safeguards implemented as a result of the risk assessment process are tested and monitored on a periodic basis. Also, incident response teams and policies are developed to respond to attacks or other system failures. An appropriate level of monitoring is implemented based on the potential impact and probability of the identified risks and the sensitivity of the nonpublic financial information.
Awareness, Training, and Education
All College employees are given specific training about the security of sensitive and confidential material used in their respective offices. Employees are informed that they must only access nonpublic information for approved purposes and may only disclose it to authorized persons. The following are requirements for the training of employees:
- Training programs are developed by Office of Educational Technology (OET) in collaboration with the Office of Human Resources to capture the privacy and security requirements for each unit/department
- Training covers all formats of customer information, whether electronic or paper-based.
- All employees handling covered data or information must complete the GLBA Compliance training course describing their responsibilities.
Overseeing Service Providers
The Data Governance Committee is responsible for instituting methods for the selection and retention of third parties with whom it shares covered data. Service providers are required to maintain appropriate safeguards for activities performed on nonpublic customer information. Such activities may include collection activities, transmission of documents, transfer of funds, destruction of documents or equipment, or other similar services.
Service agreements involving customer information must comply with this policy, including appropriate notification in cases of security breaches.
Policy Maintenance
The compliance program is a continuous process of ensuring that the laws, regulations and policies that govern the activities of members of the GGC community are followed. This is reviewed, at a minimum, annually by the CIO and Data Governance committee. The compliance program is reviewed based on:
- The outcome of risk identification and assessment activities;
- Changes to the business and operation conduct of the College; and
- Changes in general information security requirement
Related Regulations, Statutes, Policies, and Procedures
Gramm-Leach-Bliley Act
FTC: Final Rule–Standards for Safeguarding Customer Information (16 CFR Part 314)
FTC: Final Rule–Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Data–Complying with the Safeguards Rule
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Trade Commission Red Flags Rule
General Data Protection Regulation (GDPR)
APM 11.38 Privacy
APM 7.15 Risk Management
Acceptable Use of Information Technology ResourcesPolicy Number: 11.50.1.1
Effective Date: February 24, 2023
Revision History: None
Policy Contact: Vice President for Information Technology/Chief Information Officer
I. Purpose and Policy Statement
Georgia Gwinnett College (“GGC”) provides information technology (“IT”) resources to support teaching, learning, administration, and other aspects of campus life. Information technology resources may only be used by authorized persons for approved uses. This policy provides examples of acceptable and unacceptable uses of GGC information and information technology resources.
GGC adopted the policy principles established in the National Institute of Standards (“NIST”) 800 series of publications, and this policy is based on those guidelines.
The Georgia Open Records Act requires that public records be open and available for review by any member of the public unless the record is protected by an exemption. Records created while conducting College business should not be considered private; this includes paper and computer-generated records such as email, documents, etc.
Users should be aware that any activity on systems and networks may be monitored, logged, and reviewed by authorized personnel or may be discovered in legal proceedings. All records created, stored, transmitted, or received on GGC computers and networks may be subject to monitoring by authorized personnel.
GGC IT resources are provided to conduct authorized activities of the College. Incidental personal use of IT resources is acceptable if it is minimal and does not interfere with performance of duties, incur costs, burden College resources, violate any applicable laws or polices, or create additional risk to the confidentiality, integrity, and availability of the College’s resources. All users are prohibited from using GGC IT resources for personal gain or illegal activities.
Users must not transmit restricted, non-public, personal, private, sensitive, or confidential GGC information via personal email accounts (e.g., Gmail, Hotmail, Yahoo) or use a personal email account to conduct GGC business unless explicitly authorized. Users must not store restricted, non-public, personal, private, sensitive, or confidential information on a device that was not issued by GGC, or with a third-party file storage service that has not been approved for such storage by IT.
Devices that contain GGC information must always be attended or physically secured and must not be checked in transportation carrier luggage systems.
Users must report all suspected or observed illegal activities to the appropriate College personnel. Examples include theft, fraud, copyright infringement, illegal electronic file sharing, sound or video recording piracy, hacking, and viewing or distribution of pornography.
All employees will attend and apply biannual cybersecurity awareness training as required by the University System of Georgia (“USG”).
II. Scope
This policy applies to all users of GGC IT resources, regardless of affiliation, and it applies to both on campus and off campus uses of GGC IT resources.
III. Definitions
Electronic Communication: Digital correspondence, including, but not limited to email, text-messaging, instant messaging, and social networks.
Information Technology Resource: Any hardware, software, service, system, or database used in support of College activities. This includes systems and applications hosted on premise or in the cloud and applications created by the College.
Systems Administrators: Employees in Information Technology who are authorized to administer GGC systems by engaging in patching, monitoring, and other activities to ensure system performance, compliance with applicable laws and policies, and security.
User: All persons and/or organizations that use GGC information technology resources or information.
IV. Compliance
- The following acceptable and unacceptable uses apply to all users of GGC information technology resources and information. These are examples of acceptable and unacceptable uses and should not be considered exhaustive.
- Acceptable uses include:
- Complying with all applicable laws, policies, procedures, and standards to ensure confidentiality, integrity, and availability of College information and information technology resources;
- Using only authorized information technology resources, software, services, and information;
- Securing physical and network access to College information technology resources and data by locking offices and computers when not attended;
- Using College-provided software in a manner that strictly adheres to all licensing provisions including installation, use, and other terms of the license;
- Immediately reporting suspected information security incidents or weaknesses to Information Security personnel by contacting infosec@ggc.edu. If a User suspects unauthorized activity or account comprise, the user must change passwords immediately; and/or,
- Consulting with Information Technology (“IT”) on acceptable use issues not specifically addressed in this policy.
- Unacceptable uses include:
- Sharing passwords;
- Using IT resources or information without authorization;
- Using IT resources to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities;
- Distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate;
- Disclosing unauthorized personal, private, sensitive, and/or confidential information;
- Tampering, modifying, or altering any restrictions or protections placed on GGC accounts and the College’s systems or networks;
- Physically damaging or vandalizing College resources;
- Committing copyright infringement, including file sharing of video, audio, or data without permission from the copyright owner;
- Using College resources to introduce, create, or propagate SPAM, PHISHING email, computer viruses, worms, Trojan horses, or other malicious code;
- Attempting to degrade the performance or availability of any system or to deprive authorized Users access to any College resources;
- Misrepresenting identity with actions such as IP address “spoofing,” email address falsification, or social engineering;
- Sending email chain letters or mass mailings for purposes other than authorized College business;
- Engaging in activities that violate state or federal law, a contractual obligation, or another College policy including but not limited to Human Resources policies and the Code of Conduct for students;
- Connecting devices (such as switches, routers, hubs, computer systems, and wireless access points) to the network without prior approval from IT;
- Unauthorized use of any device or application that consumes a disproportionate amount of network bandwidth; and/or,
- Including or requesting sensitive information be included in unprotected electronic communications (email, instant message, text message, etc.).
- Access to Information Technology Resources is a privilege, and continued access is contingent upon compliance with this and other GGC policies. All community members are responsible for compliance with all policies, standards, and procedures. Individuals found to be in violation of this policy may be subject to disciplinary or legal action.
V. Related Regulations, Statutes, Policies, and Procedures
APM 10.8 Data Management and Classification
APM 10.9 Student Education Records Management Policy
Georgia Open Records Act
National Institute of Standards and Technology (NIST) Special Publication 800-53
USG IT Handbook
Board of Regents Business Procedures Manual
Board of Regents Policy Manual 8.2.18 Personnel Conduct
Electronic and Information Technology AccessibilityPolicy Number: 11.60
Effective Date: February 16, 2023
Revision History: May 26, 2016
Policy Contact: Vice President for Information Technology
I. Purpose and Policy Statement
This policy establishes minimum standards for the accessibility for digital content and information technology resources in order to both meet the College’s goals for diversity, equity, and inclusion and ensure compliance with applicable civil rights regulations. The College follows all applicable laws as well as University System of Georgia (“USG”) policies and standards for accessible digital content and information technology resources.
II. Scope
This policy applies to all employees. This policy includes all information technology resources and public-facing digital content. Digital content secured with a login is subject to this policy as determined by Disability Services, Human Resources, and/or Legal Affairs.
III. Definitions
Information Technology Resource: Any hardware, software, service, system, or database used in support of College activities. This includes systems and applications hosted on premise or in the cloud as well as applications created by the College.
Digital Content: Refers to any electronic-HTML or non-HTML-resources that are used in the creation, conversion, maintenance, or duplication of data or information. Digital content may include, but is not limited to: applications, courseware, electronic documents, media, social media, software, and websites.
Public-facing: Refers to any College-sponsored or -sanctioned, externally facing digital content that can be accessed without login.
Voluntary Product Accessibility Template (“VPAT”): A template that explains how information and communication technology (“ICT”) products such as software, hardware, digital content, electronic documents, and support documentation meet the Revised 508 Standards for IT accessibility.
508 Standards: These standards require all federal agencies, including those who receive federal funding, to make their electronic and information technology (“EIT”) accessible to people with disabilities.
Web Content Accessibility Guidelines (“WCAG”): A set of guidelines established by the World Wide Web Consortium intended to make web content more accessible. Web content includes text, images, and sounds as well as the code or markup that defines structure or presentation.
Web Accessibility Initiative- Accessible Rich Internet Applications (“WAI-ARIA”): Defines a way to make web content and web applications more accessible to people with disabilities. It especially helps with dynamic content and advanced user interface controls developed with HTML, JavaScript, and related technologies.
IV. Standards
- The recommended version that should be used for assessing the accessibility of web and digital content is WCAG 2.1 Level AA.
- Digital content and information technology resources are reviewed for compliance with 508 Standards for electronic and information technologies.
- Digital content strives to meet WAI-ARIA recommendations.
V. Roles and Responsibilities
- Provide Training to Campus Community: Information Technology, Disability Services, Human Resources, Digital Communications, and Legal Affairs provide training on accessibility standards and compliance to employees.
- Ensure Accessibility of Public-facing Digital Content: The responsibility for public-facing digital resources created by employees resides within the employee’s department. The department is responsible for ensuring that the public-facing digital resources are in compliance with College and USG standards.
- Procurement of Information Technology Resources: Information Technology follows USG and College procurement policies and as such requests that all vendors provide a completed VPAT to the Vice President for Information Technology or designee as part of established procurement policies and processes.
VI. Compliance
All community members are responsible for complying with policies, standards, and procedures.
VII. Related Regulations, Statues, Policies, and Procedures
Section 508 of the Rehabilitation Act of 1973
Section 501 and 505 of the Rehabilitation Act of 1973
Section 503 of the Rehabilitation Act of 1973
Section 504 of the Rehabilitation Act of 1973[LV1] [TB2]
Section 255 of the Communications Act
Americans with Disabilities Act (ADA)
21st Century Communications and Video Accessibility Act of 2010
USG Information Technology Handbook [LV3] [TB4]
Voluntary Product Accessibility Template (VPAT)
Web Content Accessibility Guidelines (WCAG)
Web Accessibility Initiative- Accessible Rich Internet Applications (WAI-ARIA)
Lost, Stolen, or Damaged EquipmentPolicy Number: 11.91
Effective Date: February 16, 2023
Revision History: May 2016
Policy Contact: Vice President for Information Technology
I. Purpose and Policy Statement
As a member of the University System of Georgia (“USG”), Georgia Gwinnett College (“GGC”) complies with the provisions of the USG IT Handbook and the USG Business Procedures Manual. These documents require stewardship of information assets such as inventory control, risk management, and lifecycle management to ensure that information assets are used appropriately and cost effectively. All community members shall apply safeguards such as physical controls to help prevent loss, damage, and/or theft of information assets.
II. Scope
All members of the campus community share responsibility for safeguarding information assets. The campus community includes all faculty, administrators, staff including student workers, students, alumni, interns, and volunteers as well as members of the Board of Trustees, College-sponsored advisory committees, visitors, vendors, and other service providers.
The scope of this policy is limited to physical information assets such as smartphones, tablets, laptops, and other equipment.
III. Definitions
Information Asset(s): Information asset(s) include information such as records, files, and databases as well as facilities, equipment, and software owned or leased by GGC. This policy concerns physical information assets such as such as smartphones, tablets, laptops, and other equipment.
IV. Roles and Responsibilities
- Information Technology (“IT”). IT oversees inventory control and lifecycle management for physical information assets. IT will facilitate replacement, repair, or other appropriate actions when physical assets are lost, stolen, or damaged. IT is not responsible for covering costs associated with repairing or replacing lost, stolen, or damaged equipment.
- Supervisor/Point of Contact.
- Ensure that those who report to you notify the IT Helpdesk when physical information assets are lost, stolen, or damaged and ensure that Public Safety is notified if physical information assets are lost or stolen.
- When applicable, authorize funding to replace or repair equipment if not covered by warranty, maintenance agreements, or standard service levels.
- Employees, Students, and Other Community Members.
- Notify your immediate supervisor or primary point of contact at GGC and the IT Helpdesk if physical information assets are lost, stolen, or damaged.
- Notify GGC Public Safety if physical information assets are lost or stolen.
- Notify local authorities if physical information assets are lost or stolen off campus or while traveling.
V. Compliance
All community members are responsible for complying with policies, standards, and procedures. Individuals found to be in violation of this policy may be subject to disciplinary or legal action.
VI. Related Regulations, Statues, Policies, and Procedures
USG IT Handbook
USG Business Procedures Manual
|