1.0 Purpose
The College is responsible for assuring the integrity of its computer systems, applications, and utilities. All systems, applications, and utilities are deemed to be the property of the College and not an individual user or department.
2.0 Policy
The College Security Officer for the College shall be the Chief Technology Officer. The Security Officer shall be responsible for determining appropriate physical security, access control, and contingency plans for information and communication services. Certain duties of this assignment may be delegated to others, such as initiating, modifying, and terminating access to users for various applications and/or to the network. All applications should employ a system of user identifications and passwords, at a minimum, to limit access to valid users. If provided, features limiting access to screens, modules, or other sub-units within software should be employed. Every user is accountable for safeguarding his or her access codes and for the integrity of the systems and data. Every user is responsible for periodically changing passwords in compliance with the application, system, and/or utilities requirements.
3.0 Procedures
The College Security Officer shall work with the custodian of each system, application, and/or utility to determine the appropriate security measures, with data owner approval. If a data owner or data custodian is designated as a security officer for an application, information about the designee and the scope of responsibility shall be recorded and filed by the College Security Officer. Department and work unit managers are responsible for ensuring employees are provided the necessary access to successfully complete their assignments.
Employees leaving their current areas of responsibility for any reason shall have access to all computer applications, systems, and utilities unique to that position revoked in a timely manner. The supervisor of the employees shall verify that revocation of information technology access has been requested via the appropriate college operating procedures. Human Resources is also charged with notifying the College Security Officer of the termination, role change, and/or onboarding of any employee. The College Security Officer shall ensure all rights to information technology no longer required by the employee are revoked as requested by the employee’s supervisor, data owner, and/or Human Resources.
All users of the Germanna Community College and Virginia Community College System networks are responsible for being aware of this policy. Violations of this policy that result in inappropriate or improper use of College resources or that subject the College to unnecessary risk are subject to disciplinary action as prescribed by College, VCCS, and/or State guidelines, policies, and/or procedures. Anyone who has reason to suspect breach of this policy by another person should immediately report it to the Chief Technology Officer.
4.0 Definitions
Data Custodian – Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners. Data Custodians are responsible for the following:
- Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
- Establish, monitoring, and operating IT systems in a manner consistent with VCCS IT security policies and standards.
- Provide Data Owners with reports, when necessary and applicable.
Data Owner – The Data Owner is the manager responsible for the policy and practice decisions regarding data, and is responsible for the following:
- Evaluate and classify sensitivity of the data.
- Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
- Communicate data protection requirements to the System Owner.
- Define requirements for access to the data.
Risk – the likelihood or probability that critical applications or confidential or sensitive information will be subject to unavailability, loss, unauthorized modification, or improper disclosure.
User – All users of VCCS IT systems including employees and contractors are responsible for the following:
- Read and comply with VCCS Contingency Planning and Business Recovery program requirements as well as VCCS and college IT polices, standards, and guidelines.
- Report breaches of IT security, actual or suspected, to their college management and/or the ISO.
- Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.
5.0 References
Commonwealth of Virginia, Council on Information Management, ITRM Standard 95-1, Information Technology Security.
Virginia Polytechnic and State University, Administrative Policy 2020: Policy on Protecting Electronic Access Privileges.
Virginia Polytechnic and State University, Administrative Policy 2015: Acceptable Use of Computer and Communication Systems.
6.0 Point of Contact
Vice President for Administrative Services
7.0 Approval and Revision Dates
Leadership Council: First Reading Date - 07/23/20; Approval Date - 08/27/20