Policies

Overview

Santa Fe College has made a significant investment in the information technology infrastructure to support its mission in teaching, learning and administration. Access to college IT resources is a privilege that is granted by SF and subject to certain rules, regulations and restrictions. Such access carries with it legal and ethical responsibilities and should reflect the honesty and discipline appropriate for our community of shared IT resources. Appropriate and ethical use demonstrates respect for intellectual property, ownership of data, system security mechanisms and individuals’ right to privacy and to freedom from intimidation or harassment. Below you will find links to Santa Fe College's policies regarding the use of information technology controlled or in use by the college.

On This Page

Employee Use

Student Use

Employee Use

Information Technology Use Policies

Appropriate Use Policy

Approved: February 2, 2001
Last Reviewed: 12/01/2022
Last Modified: 08/30/2011
Responsible Office: Information Technology Services

Purpose

Santa Fe College has made a significant investment in the information technology infrastructure to support its mission in teaching, learning and administration. To that end, this policy aims to promote the following goals:

• To ensure that IT resources are used for their intended purposes;
• To ensure that the use of IT resources is consistent with the principles and values that govern use of other college facilities and services;
• To ensure the integrity, reliability, availability and performance of IT systems; and
• To establish processes for addressing policy violations and sanctions for violators

Scope

This policy applies to all students, employees, volunteers, temporary workers, guests and other workers at SF, including personnel affiliated with third parties, who use IT resources owned or leased by SF and whether from on campus or from a remote location. Other policies may govern IT resources managed by different departments of the College.

Policy

Statement Access to college IT resources is a privilege that is granted by SF and subject to certain rules, regulations and restrictions. Such access carries with it legal and ethical responsibilities and should reflect the honesty and discipline appropriate for our community of shared IT resources. Appropriate and ethical use demonstrates respect for intellectual property, ownership of data, system security mechanisms and individuals’ right to privacy and to freedom from intimidation or harassment.

General Requirements

• You are responsible for exercising good judgment regarding appropriate use of SF IT resources in accordance with Federal and state laws and SF policies, standards and guidelines.
• For security, compliance and maintenance purposes, authorized personnel may monitor and audit equipment, systems and network traffic per the IT Security, Privacy and Audit Statement. Devices that interfere with other devices or users on the SF networks may be disconnected. Information Technology Services (ITS) prohibits actively blocking authorized audit scans.
• You should be considerate when using shared IT resources. Although there are no set limits on bandwidth, disk space or CPU time applicable to all IT resources, users may be required to limit or refrain from specific uses if such use interferes with the efficient operation of IT resources.

User Accounts

• You are responsible for the security of data and systems under your control. Keep passwords secure and do not share account or password information with anyone, including other students, personnel, family or friends.
• You must maintain passwords in accordance with the Password Policy and Guidelines.
• You must ensure that college-protected information, as defined in the Guidelines for Safeguarding Restricted Data, remains within the control of SF at all times. Conducting SF business that results in the storage of protected information on personal or non-SF controlled systems, including devices maintained by a third party with whom SF does not have a contractual agreement, is prohibited. This specifically prohibits the use of an email account that is not provided by SF.

Information Technology Resources

• You are responsible for ensuring the protection of assigned SF resources.
• You must not use IT resources to gain unauthorized access to remote computers or to impair or damage the operations of SF computers, networks and online services.
• You must not interfere with College device management or security system software.
• You should contact ITS before purchasing hardware or software that connects to or runs on SF computers or networks.
• You must not use IT resources for personal financial gain. Occasional personal use of SF IT resources for purposes other than commercial or financial gain is permitted when it does not consume a significant amount of IT resources, does not interfere with college business or with the performance of a user’s job, and is otherwise in compliance with this policy.

Network Use

You are responsible for the security and appropriate use of SF network resources under your control. Using SF resources for the following is strictly prohibited:

• Causing security breach to SCF network resources, including but not limited to, accessing data, servers or accounts to which you are not authorized, circumventing user authentication on any device, or sniffing network traffic.
• Causing a disruption of services to SF network resources, including but not limited to, packet spoofing and denial of service, heap or buffer overflows and forged routing information for malicious purposes.
• Violating copyright law, including but not limited to, illegally duplicating or transmitting copyrighted pictures, music, video, software and learning resource materials.
• Use of the Internet or SF networks that violates Federal or State laws, or college policies, including but not limited to, laws of defamation, privacy, sexual harassment, obscenity and child pornography.
• Intentionally introducing malicious code, including but not limited to, viruses, worms, Trojan horses, spyware, adware and keyloggers.
• Port scanning or security scanning on a production networks unless authorized by Information Technology Services.
• Disabling or bypassing college authorized security measures, such as local firewalls, virus checking software, web-site restrictions, etc.

Electronic Communications

The following is strictly prohibited:

• Inappropriate use of the communication equipment and services, including but not limited to, supporting illegal activities, and procuring or transmitting material that violates SF policies against harassment or the safeguarding of confidential or protected information.
• Sending Spam via email, text messaging, instant messaging, voice mail or other forms of electronic communications.
• Forging, misrepresenting, obscuring, suppressing or replacing a user identity on any electronic communication to mislead the recipient about the sender.
• Posting the same or similar non-college-related messages to large numbers of Usenet groups (news group spam)
• Use of SF email or IP address to engage in conduct that violates SF policies or guidelines. Posting to a public newsgroup, bulletin board, or listserv with a SF email or IP address represents SF to the public; therefore, you must exercise good judgment to avoid misrepresenting or exceeding your authority in representing the opinion of the College.

Enforcement

The college considers any violation of this policy to be a serious offense. Violators may be subject to disciplinary action, up to and including suspension from school and termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with SF.

Authority

This policy has been created by Information Technology Services by the authority described in the Santa Fe College Information Security Policy and shall be complied with as though it were part of the IS Policy document.

History

02/02/2001 – Approved
10/12/2004 – Revised
09/24/2009 – Major revision
12/12/2010 – Revised
08/30/2011 – Revised

Information Technology Policies v20110830

Email Policy and Guidelines

Appropriate Use of Email Policy

Approved: February 2, 2001
Last Reviewed: 08/20/2011
Last Modified: 08/20/2011
Responsible Office: Information Technology Services

Scope and Intent

This policy applies to all individuals who access the college’s email system. For purposes of this document, email includes point-to-point messages, postings to newsgroups and lists, and any electronic messaging involving computers and computer networks. College email accounts, including those used by student organizations, are held to the same standards as those for individual accounts. Email is considered an official communications method of the College and generally subject to the Florida Public Records Law and the Florida Sunshine Law to the same extend as it would be on paper. Email users must therefore know the laws and be mindful that College email is public information.

Examples of Inappropriate Uses of Email

While not an exhaustive list, the following uses of email by individuals or organizations are considered inappropriate and unacceptable at Santa Fe College. In general, email shall not be used for the initiation or re-transmission of:

• Chain mail that misuses or disrupts resources – email sent repeatedly from user to user, with requests to send to others;
• Harassing or hatemail – any threatening or abusive email sent to individuals or organizations that violates college rules and regulations;
• Virus or virus hoaxes;
• Spamming or email bombing attacks – intentional email transmission that disrupts normal email service;
• Junk mail – unsolicited email that is not related to college business and is sent without a reasonable expectation that the recipient would welcome receiving it; and
• False identification – any actions that defraud another or misrepresent or fail to accurately identify the sender.

College Access to Email

All email messages are the property of the College. As a routine, the College will not inspect email content. However, the College reserves the right to access messages under circumstances outlined in the Information Technology Security, Privacy and Audit Statement and to save email pertaining to college business when an employee leaves the College. This access will be granted only upon written notification from the employee’s supervisor to the Associate Vice President of Information Technology Services. These files may be transferred to another user if necessary to conduct college business.

References

Information Technology Security, Privacy and Audit Statement

History

02/02/2001 – Approved
10/12/2004 – Revised
01/19/2009 – Revised
08/20/2011 – Revised

Information Technology Policies v20110820

Password Policy and Guidelines

Password Policy and Guidelines

Approved:
Last Reviewed: 03/28/2011
Last Modified: 03/28/2011
Responsible Office: Information Technology Services

Passwords are used to control access to Santa Fe College’s information resources. A compromised password not only puts an individual’s email and files at risk, but may also expose sensitive college data and systems. All members of the college community are responsible for taking the appropriate steps to select and secure their passwords.

This document defines college password policy and outlines the guidelines and requirements for the choosing, managing and protecting strong passwords.

Password Policy

Santa Fe College will strictly enforce the use of strong passwords. Strong passwords must:

• have a minimum of 8 characters in length (12 characters is the maximum)
• include three of the following four elements – upper case letters, lower case letters, digits and punctuation
• not contain spaces
• not be shared
• not be reused
• be changed at least every 120 days

Guidelines for Selecting Strong Passwords

A common method used by attackers to break into accounts is to simply “guess” passwords by systematically trying different possibilities and using dictionary files to generate a list of possible passwords. By choosing passwords that are easy to remember but hard for an attacker to guess, you will significantly improve the security of your computer and data.

When selecting passwords, keep the following guidelines in mind:

Choose a password that is eight characters in length

• Create passwords that contain three of the following four elements – upper case letters, lower case letters, digits and punctuation
• Do not use spaces or blanks in your password
• Avoid using dictionary words including foreign language words, slang, jargon and proper names
• Avoid using passwords that are based on your name, user ID, birthdates, addresses, phone numbers, relatives’ names, or other personal information

The key to a successful password is to create a phrase that is easy for you to remember but that no one else will ever think about attributing to you. For example:

• “Only 12 more years until retirement” would be “O120myur”
• “My 7 year anniversary is November 20” would be “M7yaiN20”

For tips on selecting strong passwords that are easy to remember and to test the strength of your passwords, go to Microsoft’s strong password website.

Guidelines for Protecting Your Passwords

• All passwords are to be treated as confidential college information.
• You are responsible for the security of your passwords and accountable for any misuse if they are guessed, disclosed, or compromised.
• Do not share your passwords with anyone, including supervisors, administrative assistants, secretaries, and technology service providers.
• Do not use your Santa Fe password as a password for non-college accounts such as eBay and Yahoo. This will limit your exposure if any of your passwords are compromised.
• Do not allow anyone to look over your shoulder while you are entering your password
• Do not write passwords down or store them anywhere in your office. Do not store passwords in a file on any computer system (including PDAs or similar devices) without using strong encryption.
• If you suspect your account or password has been compromised, report the incident to ITS Help Desk and change the password immediately.
• Change your password on a regular basis. Changing your password every 90 days is a good rule-of-thumb, and you should never go longer than 120 days before picking a new password. Do not reuse previous passwords.

Exceptions

For systems and applications that have a maximum password length less than eight characters, that maximum length should be set as the minimum accepted password length.

Login Failure Lockout

User accounts are automatically locked after 3 consecutive failed login attempts. Accounts are automatically unlocked after 30 minutes. Users can unlock their accounts before the 30 minute lockout period by access the Password Management System and selecting “Change Password” from eStaff or Web email login pages.

Changing Passwords

Employees can change their passwords through eStaff and students can change their passwords through eSantaFe.

History

04/25/2008 – Revised
08/24/2009 – Major revision
03/28/2011 - Revised

Information Technology Policies v20110328

Privacy of Confidential Information

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) collects, produces, disseminates, and stores a significant amount of diverse information in a variety of formats during the normal course of business operations. A portion of this information includes confidential documents, materials, or data which may be protected by federal, state, or local laws and regulations, and/or college rules. This restricted data includes, but is not necessarily limited to: Personally Identifiable Information (PII); Private Educational Records (PER) protected under FERPA; credit card data regulated by the Payment Card Industry (PCI); Electronic Protected Health Information (ePHI) protected by HIPAA and/or Florida medical privacy laws; personal information covered by the Gramm-Leach-Bliley Act (GLBA); and information specifically identified by contract as restricted (see sections 2 and 3 of the SF IT Policies Appendix A for more information).

During the course of employment, employees, student employees, volunteers, agents acting on behalf of SF, or other individuals may have access to information that is considered confidential. This document will establish the principles, processes, and safeguards by which electronically stored confidential information entrusted to the care of SF will be maintained and managed that ensures its confidentiality, and outlines expectations regarding the ongoing protection of this information.

Purpose

Every individual at SF entrusted with the care of confidential information needs to possess a level of understanding of the responsibilities involved in identifying, governing, protecting, and securing confidential information that they may have access to during the fulfilment of their daily job responsibilities and functions.

Scope

This policy applies to all individuals who have access through SF IT Resources, as defined in section 4, below, to SF information that contains personal, academic, business, or other information that is considered confidential or of a proprietary nature.

Definitions

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, portable storage devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Destruction Record - An inventory method for describing and documenting the physical or electronic information in any format authorized for destruction, as well as the date, authorizing individual, and method of destruction. The destruction record itself does not contain confidential information. The destruction record information can be kept in either physical or electronic format.

Confidential Data - For the purposes of this policy, confidential data or confidential information is information stored and/or housed by electronic methods for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be required. Unauthorized access to or disclosure of confidential information could constitute an unwarranted invasion of privacy and cause financial loss and damage to the College’s reputation and the loss of community confidence.

Electronic Protected Health Information (ePHI) - Any information that links an individual with their physical or mental health condition such as:

• Name of individual or relative
• Any address smaller than state
• Dates such as birth, admission or discharge
• Telephone numbers
• Electronic mail address
• Social security numbers
• Account numbers
• Health plan beneficiary number
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic or code

FERPA - Family Educational Rights and Privacy Act - The Family Education Rights and Privacy Act (FERPA) is a Federal law that protects and safeguards the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Individuals cannot bring a case against the institution, but the Department of Education can enforce FERPA by depriving an institution of federal funding (including financial aid to students). You can read more about FERPA at www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

FIPA - Florida Information Protection Act - Requires covered entities, which includes certain government entities, conducting business in Florida that acquire, maintain, store or use personal information, to inform Florida residents of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information. FIPA provides the following definitions of what constitutes protected personal information:

• The first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
  • Social Security Number
  • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
  • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts.
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
• A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Federal Information Security Management Act (FISMA) of 2002 - Requires program officials and the head of each agency to take specific measures to mitigate cybersecurity risks. The Department of Homeland Security monitors and reports agency progress to ensure the effective implementation of this guidance.

Federal Information Processing Standard 199 (FIPS 199) - Part of the mandatory security standards as required by FISMA that require Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category.

GLBA - Gramm-Leach-Bliley Act - The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, is a comprehensive, federal law that governs a financial institution’s retention, use and disclosure of customer records and information. GLBA sets forth a financial institution’s privacy obligations to its customers and its duties concerning the safeguarding of customer’s personal information. The GLBA is composed of several parts, including the Privacy Rule (16 CFR § 313) and the Safeguards Rule (16 CFR § 314). The GLBA applies to the College because it processes student loans and provides other financial services. As such, the College falls within the definition of “financial institution” under the GLBA and must comply with the law’s requirements. “Financial Institution” means any institution which engages in financial activities. Examples of financial activities that are covered by GLBA include the following: student or other loans, including receiving application information, and the making and servicing of such loans, collection of delinquent loans, check cashing services, financial or investment advisory services, credit counseling services, travel agency services provided in connection with financial services, tax planning or tax preparation, obtaining information from a consumer report career counseling services for those seeking employment in finance, accounting or auditing. Additional guidance regarding GLBA is available at: www.ftc.gov/privacy/privacyinitiatives/glbact.html.

HIPAA - Health Insurance Portability and Accountability Act - The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of medical records for health care providers, health maintenance organizations and health records clearinghouses. A major goal of HIPAA is to assure that individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and protect the public’s health and well-being. HIPAA establishes, for the first time, a foundation of federal protections for the privacy of protected health information. However, it does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices. You can read more about HIPAA at hhs.gov/hipaa/index.html.

PCI DSS - The Payment Card Industry Data Security Standard is a proprietary set of security controls that businesses are required to implement to protect credit card data.

Payment Card Information (PCI) - Credit card account number alone with any of the following:

• Cardholder name
• Service code
• Expiration date

Personally Identifiable Information (PII) - Unencrypted electronic information that includes an individual’s first name or initial and last name, in combination with any one or more of the following:

• Social security number
• Driver license number
• Financial account number, credit card number, or debit card number in combination with any security code, access code, or password

Private Educational Record (PER) - Includes the following information:

• Name of the student’s parent or other family member
• Address of student’s family
• Personal identifier, such as the student’s Social Security Number (SSN)
• A list of personal characteristics that would make the student’s identity easily traceable
• Disciplinary status
• Financial – aid, tuition, payments, account balances
• Grades, exam scores, or GPA (grade point average)
• Class roster
• Applications and admissions information
• Schedules
• Evaluations, forms, memos, or correspondence to and about the student
• Birth date
• Gender
• Citizenship
• Marital status
• Religion

Restricted Data - A particularly sensitive category of confidential data. Restricted data is defined as:

Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transmission.

Restricted data includes, but is not necessarily limited to:

• Personally Identifiable Information (PII)
• Private Educational Records protected under FERPA
• Credit card data regulated by the Payment Card Industry (PCI)
• Electronic Protected Health Information (ePHI) protected by Federal HIPAA legislation or Florida medical privacy laws
• Information specifically identified by contract as restricted
• Other information for which the degree of adverse effect that may result from unauthorized access or disclosure is high

Sensitive Information - information that “because of legal, ethical, or other external-imposed constraints, may not be accessed without specific authorization or to which only limited access may be granted”. In the context of the definition of a serious incident, sensitive information is defined as non-public information, as defined by law or practice, whose disclosure may have serious adverse effect on individuals and/or the College. Sensitive information includes personally identifiable information such as protected by FERPA, credit card numbers and any other information designated as sensitive by the College.

Student Directory Information - Includes a student's name, local address, telephone number, date of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

Limited-access Area - An area where access shall only be granted to employees who are approved by the appropriate members of management of that location, or to anyone already approved to access more than one restricted area (ITS employees). This does not include people admitted to an area as a visitor.

Restricted Area - An area where access shall only be granted to ITS employees who are approved by the appropriate members of management. This does not include people admitted to an area as a visitor.

Additional definitions of the terms used in this policy can be found in the SF IT Policies Appendix A.

Policy

5.1 Requirements and Responsibilities

All members of the SF community who deal with confidential data are expected to become familiar with all sections of this policy and take the steps necessary to stay current with all regulations and guidelines regarding the handling of confidential data outlined within the sections listed below.

5.1.1

All members of the SF community who have been granted access to confidential, sensitive, or proprietary information in any electronic format have an obligation to protect, maintain, and handle that information in a secure manner throughout all stages of the data lifecycle including:

• Creation
• Use
• Storage
• Release
• Receiving and Transmitting
• Retention
• Destruction

5.1.2

All individuals will be granted privileges consistent with their job duties to access confidential information and understand that they may not release that information to any individual or entity without appropriate authorization.

5.1.3

Prior to releasing confidential information, any individual who is uncertain about the legitimate use or release of confidential information to others should always refer questions about the appropriateness of the release to his or her supervisor.

5.1.4

All members of the SF community who deal with confidential data must understand all rules and regulations which apply to the data under their control that relate to the transference of confidential information outside of SF. This includes taking all steps required to obtain prior authorization and acquiring all necessary signatures on the appropriate release forms to allow SF to disclose confidential information.

5.1.5

All individuals are responsible for confidential information under their control and will be held accountable for any intentional or unintentional disclosure of confidential information to unauthorized individuals or entities. See Sections 5.9 and 6.0 of this policy for disciplinary actions as a result of policy violation.

5.1.6

To protect confidential information from any possible misuse, all individuals responsible for confidential information must comply with the latest rules and regulations regarding the appropriate handling of confidential information and materials.

5.1.7

Individuals responsible for confidential data should attend training to foster understanding of -- and compliance with -- appropriate secure handling rules and regulations as required by relevant federal, state, and local laws.

5.2 Inappropriate Use

Confidential information is only to be accessed for purposes directly related to your job duties or for other authorized and approved SF business. Listed below are some examples of inappropriate uses of confidential information.

5.2.1

Disclosing, discussing, or distributing confidential information to any individual not authorized to view or access that data, and only as needed to conduct campus business or as required by job requirements or supervisor directive.

5.2.2

Using information viewed or retrieved from the systems for unauthorized or unlawful use, or for the purpose of personal gain.

5.2.3

Attempting to gain unauthorized access to systems or data that is not relevant to your job duties.

5.2.4

Deleting, or altering any information without prior authorization, or intentionally generating false or misleading information.

5.2.5

Sharing your system credentials, or utilizing the credentials of others to gain unauthorized access.

5.3 Security of the Electronic Environment

Every member of the SF community who is authorized to work with confidential information must be aware of the proper procedures and protocols to safeguard electronic data within their possession, and take all steps and proactive actions necessary to ensure that confidential information stored in an electronic format remains secure. Listed below are some examples on how to secure the electronic environment.

5.3.1

All computers containing confidential information must be logged off or locked when unattended. Computers owned/managed by SF are protected by a screen lock timer function. If you discover a SF computer that does not lock after going to the screen saver, you must contact the ITS Help Desk to report the problem.

5.3.2

Any electronic device housing confidential information must have password protection enabled and adhere to the SF Password Policy and Guidelines. If you need assistance with enabling password protection, contact the ITS Help Desk.

5.3.3

Storing confidential information on any non-SF computer equipment is prohibited.

5.3.4

When there is an authorized and legitimate need to provide electronic records containing confidential information to an authorized third party, the electronic records must be password-protected and encrypted.

5.3.5

Storing confidential information on any portable or external storage device (e.g., laptop, tablet, smart phone, flash-drive, SD card, DVD) is not allowed unless written permission is granted by the individual(s) responsible for that information and the portable or external storage device is password-protected.

5.3.6

Unless specifically authorized and approved, confidential information should never be stored on local computer drives. It must either be stored on secured servers or secured authorized desktop computers.

5.3.7

Prior to storing confidential information on any computer, individuals should verify with ITS that the computer meets the minimum acceptable security requirements:

• The anti-virus software is up-to date.
• The operating system is up-to date.
• The password has been changed recently and adheres to the SF Password Policy and Guidelines.
• The computer has been recently scanned for malware, spyware, keystroke monitor software, or any other possible malicious software.
• The computer is protected by the network firewall.

5.4 Disposal of Confidential Electronic Information

5.4.1

Electronic documents and other digitally-maintained information not actively involved in an investigation, litigation or legal hold, has a finite life cycle and should be permanently deleted pursuant to and in compliance with College Rule 5.11, Procedure 5.11P, Chapter 119, Florida Statutes, and Chapter 257, Florida Statutes, as applicable.

5.4.2

Prior to disposal, the retention schedule (if applicable) for each document type should be verified.

5.4.3

The destruction of SF electronic records should be authorized by the senior officer of each administrative or academic office of responsibility, in compliance with College Rule 5.11, Procedure 5.11P, Chapter 119, Florida Statutes, and Chapter 257, Florida Statutes, as applicable.

5.4.4

All digital information will be deleted using the procedures outlined in the SF Digital Media Sanitation policy.

5.4.5

The destruction of the data should be noted in the destruction record files.

5.5 Security of the Physical Environment

Every member of the SF community who is authorized to work with confidential information must take the proper precautions to ensure that the workplace environment provides the security measures necessary to safeguard that information. Listed below are some examples on how to secure the physical environment.

5.5.1

Computer display screens must be positioned so that only authorized individuals can view confidential information.

5.5.2

Any server containing confidential information must be housed within a restricted area that features strict access control, and is protected by video surveillance and/or motion-detecting devices.

5.5.3

Every SF laptop/netbook that is not in use must be stored within a limited-access area and protected by a cable lock or locked in a cabinet/cart where feasible. This policy applies whether the equipment is located on campus or off-site.

5.5.4

All handheld electronic devices, including portable storage units and mobile devices, must be kept in a locked drawer or cabinet when not in use.

5.5.5

Photocopiers, fax machines, and scanners must be located within a limited-access area.

5.5.6

Printers that routinely print confidential information must be located within a limited-access area.

5.5.7

Windows in offices that regularly access protected/sensitive information should be protected in such a way that a passerby cannot see in but the employee has an unobstructed view to see outside. If mirror tinting is not available or has been ordered but not installed, then the employee must account for the window when abiding by Section 5.5.1 above.

5.7 Removal of Confidential Materials

All materials and other property containing confidential information are the property of SF. Unless directed or pre-approved by a supervisor, members of the SF community will not remove confidential data off-campus.

5.7.1

If approved for off-campus removal, all members of the SF community are responsible for the confidential data in their care and must safeguard the information and control access as necessary, until that information is safely returned to SF.

5.7.2

All confidential data taken off-campus must be password-protected and encrypted.

5.7.3

Any supervisor permitting confidential information in electronic form to be taken off-campus must implement formal written control procedures for the information, which will establish the following:

• The name of the individual taking the confidential information off-campus.
• The start date and time the material was taken off-campus and the agreed-upon date and time of its return.
• The purpose for which the material has been taken off-campus.
• The type and format of the confidential information that has been taken off-campus.

5.8 Termination or Completion of Assignment or Project

5.8.1

After the completion of an assignment or project, an employee will return all confidential or proprietary data pertaining to that assignment or project. The employee’s supervisor (or their designee) will verify that all information has been returned.

5.8.2

After voluntary or involuntary termination of employment, the former employee must safely return all SF IT resources to their supervisor before they leave on the final day of their employment. The former employee must also securely delete all confidential data from any non-SF device that has come in contact with such data during the course of its life. The employee’s former supervisor (or their designee) will verify that all SF IT resources have been returned and all known confidential information has been removed from any non-SF device.

5.8.3

After employment with SF ends, all former employees will hold all confidential or proprietary information in trust and confidence, while complying with federal, state, and local laws regarding its access, use, and disclosure.

5.9 Violations

5.9.1

Unauthorized access or disclosure of confidential information in any form may violate college policy and federal, state, or local laws, resulting in criminal or civil penalties or corrective action, up to and including termination.

5.9.2

Employees must report actual or suspected disclosure of confidential electronic records immediately to their supervisor, department head, or IT Services.

5.9.3

Employees must report actual or suspected violation of this policy by any member of the campus community immediately to their supervisor, department head, or IT Services.

Policy Enforcement

Every SF user ID and password acts as a unique identifier granting access to the associated account on a particular SF system, which may contain SF confidential information. Any work or activity performed under an SF account is assumed to be performed by the person assigned to that account. Defying or circumventing this policy shall be deemed a violation of this policy, as well as the Information Technology Appropriate Use Policy (AUP), and will be reported to the SF Chief Information Officer (CIO). The CIO reserves the right to deny or immediately remove access privileges to individuals or groups without prior notice to protect SF technology resources. The CIO may delegate further enforcement of this policy to the appropriate persons in coordination with disciplinary procedures for students, faculty, and staff.

Contacts

Questions regarding this Policy should be directed to Information Technology Services at 352-395-5999 or emailed to help.desk@sfcollege.edu.

History/Revision Dates

Approved: 05/08/2017

Student Computer Access Policy

Student Computer Use Policy

Approved:
Last Reviewed: 07/18/2012
Last Modified: 07/18/2012
Responsible Office: Information Technology Services

This following statement is placed on all student computers and students must agree to the statement before using college-owned computers.

Computer Use Policy

ATTENTION – YOU WILL LOOSE COMPUTER PRIVILEGES AT ALL SF LABS IF YOU:

1. Display, print, or transmit pornographic material in any SF computer lab
2. Display, print, or transmit racist, sexist, obscene or harassing messages and/or materials using email or SF’s access to the internet.
3. Modify or alter a computer workstation by any means, including but not limited to installing programs, saving or deleting workstation files, and changing the desktop configuration
4. Use the email to transmit unsolicited mail (SPAM). SPAM is defined as “the sending of a message, individually or en masse, to people who did not request it and/or would not otherwise choose to receive it.”

If you violate these policies, you will be denied access to all SF Labs pending your hearing with the Student Disciplinary Committee.

I have read and agree to the Computer Use Policy.

History

07/18/2012 – Revised

Information Technology Policies v20120718

Information Technology Resource Policies

Allocation of IT Resources

Information Technology Resource Allocation Policy

Approved: November 16, 2001
Last Reviewed: 09/20/2011
Last Modified: 09/20/2011
Responsible Office: Information Technology Services

Introduction

Santa Fe Community College acknowledges that Information Technology (IT) resources and services are essential for support of the College’s mission and goals. Therefore, it is the policy of the College to provide, to the extent that financial and human resources allow, appropriate allocation of IT resources for academic and administrative areas of the College.

Information Technology Resources

IT resources encompass all forms of technology used to create, store, exchange and use information in its various forms of voice, video and data, as well as the human resources and contracts required for the support of IT resources and services.

Examples of IT resources:

• Wiring and wireless infrastructure for voice, video and data
• Network electronics for voice, video and data
• Mainframe and server technology and operating systems
• Desktop computers, printers and scanners
• Telephone systems
• Interactive voice response systems
• Video conferencing systems
• Administrative application software and systems
• Academic application software and systems
• Desktop productivity application software
• Telecom lines for voice, video and data
• Maintenance and service contracts for IT resources
• Salary and benefits in direct support of IT resources and services
• Professional development of IT staff

Examples of what is NOT an IT resource:

• Personal Digital Assistants (PDA)
• Non-networked audio/visual equipment and services
• Stand-alone copiers
• Library database subscriptions
• End-user training
• Courseware development
• Computerized student testing systems

Allocation of IT Resources

To ensure equitable balance between all areas of the college, allocation of IT resources shall be a representative and participatory process linked to College planning and budgeting processes.

Link to college planning and budgeting processes

The allocation of IT resources shall result from college planning and budgeting processes. College planning considers IT issues and trends when formulating the College Strategic Plan which in turn drives IT Planning. The annual IT Plan is aligned with the College mission and goals, and contains prioritized initiatives with measurable outcomes, realistic budget estimates and required IT resources. Given the allocation of resources, service level agreements may be created or updated to reflect levels of IT services the College can provide.

Representative and participatory process

The allocation of IT resources shall be determined by the AVP for Information Technology Services with input from the Technology Advisory Committee (TAC) and approved by the Presidents Staff. TAC represents stakeholders from all College communities and is responsible for identifying the needs, expected outcomes, priorities, service levels, and resources for initiatives contained in the IT Plan. The AVP for Information Technology Services shall prepare the IT Plan and associated budget requests, SLAs and resource recommendations. The Resource Planning committee will approve the IT Plan and forward their recommendations to the President’s Staff for approval and appropriations.

Priorities For IT Resource Allocation

IT resources shall be allocated based on the priority of needs. Needs are determined through the College planning processes, and shall be transformed into programs or initiatives and classified as either “Must Do” or “Should Do”.

"Must Do" initiatives and programs are the top priorities. They are typically mission critical, required by code or law, essential to insure privacy, security and safety, or are driven by economic factors.

"Should Do" Initiatives and programs are prompted by the needs to stay competitive, improve efficiency, add value, create opportunities, improve services, and respond to the demand for more services. If not funded, these needs will eventually become “must do” initiatives.

Priorities are recommended by the Technology Advisory Committee.

History

11/16/2001 – Approved 09/20/2011 – Reviewed

Policy Student Technology Fee

Student Technology Fee Policy

Approved: Resource Planning Committee
Last Reviewed: 07/23/2012
Last Modified: 07/26/2012 (RPC)
Responsible Office: Information Technology Services

Florida Statute 1009.24 allows colleges to assess a technology fee up to 5% of tuition per credit hour, excluding Bright Futures and must be used to “enhance instructional technology for faculty and students”.

To that end, funds shall be used to:

• Broaden or enhance the quality of the academic experience through the use of technology in support of the curriculum;
• Provide additional student access to technological resources and equipment that are needed in support of instruction and to maintain and enhance the technological competency of students as it relates to their academic work;
• Increase the integration of technology into the curriculum; and
• Give faculty and staff the opportunity to participate in innovative student-focused technology

Possible uses of the revenue include but not limited to the following examples:

• Student computer workstations and upgrades
• Computer software upgrades used in instruction
• Public access computer workstations
• Wireless networks in learning spaces
• Learning management systems
• Internet bandwidth for media rich content
• Classroom instructional media technology
• Digital video and digital video editing equipment
• Instructional design

Proposed Process for Using Revenue from the Student Technology Fee

Step 1 – Develop proposals

• Proposals may be submitted by any group or individual;
• Proposals should be developed with input from key stakeholders;
• Proposals must have an executive sponsor; and
• Proposals must include a project scope, schedule, estimated resources and measurable outcomes to address the questions of: What will be done? How long will it take? What resources are required? And why is this project worth doing and how is it aligned with college goals?

Step 2 – Review and approve proposals

• Owners will present proposals to the TAC for review and feedback;
• TAC will forward proposals to the RPC with recommendations; and
• The RPC will approve projects, allocate resources and set project

Step 3 – Develop and execute implementation plans

• Owners and ITS will jointly develop an implementation plan;
• Owners will designate a person to work with ITS to execute of the plan; and
• ITS will serve as the project managers

Step 4 – Measure, assess and report

• ITS will monitor the implementation and report progress to TAC and RPC
• Owners will measure performance, assess outcomes and report findings to TAC and the RPC

Telephone Long-Distance Calling Policy

Long-Distance Calling Policy and Call Accounting Practices

Approved: November 16, 2001
Last Reviewed: 02/28/2012
Last Modified: 09/20/2011
Responsible Office: Information Technology Services

College telecommunication devices such as phones and fax machines shall not be used to make personal long-distance calls except with the use of a personal calling card. Offenders will be required to pay $1.00 per call plus $0.10 a minute.

Responsibilities

Individuals are responsible for purchasing personal calling cards, keeping their long-distance account codes private and documenting the business purpose of long-distance calls.

Department administrators are responsible for informing their employees of the long-distance calling policy, authorizing long-distance calling privileges and account codes for their employees, reviewing monthly call accounting reports and notifying Information Technology Services of discrepancies in call accounting reports and suspected misuses of long-distance calling privileges.

Information Technology Services is responsible for issuing account codes, reconciling long- distance bills and for conducting “spot” audits.

Call Accounting Practices

1. Account codes are recommended for securing your phone against others making unauthorized long-distance calls. They may also be used to make long-distance calls from any college phone with the calls recorded to your
2. Long-distance calling logs should be maintained to provide evidence that calls were made for business
3. Long-distance calling privileges must be approved by department
4. Long-distance calls are recorded monthly to department call accounting
5. Access to call accounting reports is restricted to department administrators and their designees, and to the telecommunications administrator in Information Technology Services.
6. Call accounting records are retained for 6 months

History

Effective date: 10/1/2005
Updated: 09/06/2010
Reviewed: 02/28/2012

Information Security Policies

Data Breach Notification Policy

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) is governed by the notification requirements of Florida Statutes §501.17(3)-(6), otherwise known as the Florida Information Protection Act (FIPA) of 2014. Accordingly, SF shall provide timely and appropriate notice, as required, when there is reasonable belief that protected personal information held by SF has been compromised by a data breach.

Purpose

The purpose of this policy is to outline how SF will respond to incidents involving data breaches. It will identify and define steps and procedures that will be followed when those breaches occur and will address how affected individuals will be notified as required by the relevant state or federal laws.

Scope

This policy applies to all SF information assets or information assets under the care of SF, and applies to all faculty, staff, students, and individuals who interact with, access, or store SF electronic information regardless of storage device, medium, or physical location.

Definitions

Data Breach - An incident of unauthorized access of data in electronic form containing personal information,sometimes also referred to as a “breach of security” or a “breach”.

• Protected personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, and does not include information made lawfully available to the general public from federal, State, or local government
• Good faith acquisition of protected personal information by an employee or agent of SF for a legitimate purpose does not constitute a data breach, provided that the personal information is not used for a purpose other than a lawful purpose of SF and is not subject to further unauthorized

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Technology Incident Response Team (TIRT) - A cross-functional group organized/selected by the Chief Information Officer (CIO) and comprised of skilled individuals within SF with the expertise, technical resources, and decision-making capability to coordinate a quick, effective, and orderly response to technology-related incidents. Previously referred to as the Information Security Incident Response Team.

Florida Information Protection Act (FIPA) - requires covered entities, which includes certain government entities, conducting business in Florida that acquire, maintain, store or use personal information, to inform Florida residents of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information. FIPA provides the following definitions of what constitutes protected personal information:

1. The first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
   • Social Security Number
   • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify
   • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts.
   • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
   • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
2. A user name or email address, in combination with a password or security question and answer that would permit access to an online account

Additional definitions of the terms used in this policy can be found in the SF IT Policies Appendix A.

Policy

5.1 Reporting responsibilities

All individuals affiliated with SF in any capacity, including but not limited to staff, students, faculty, contractors, visitors, and alumni, should report suspected or actual data breaches immediately to their supervisor, any SF Executive/Managerial employee, or directly to the Information Technology Services Help Desk at 352-395-5999.

Examples of the types of incidents to report include, but are not limited to:

• Access to SF IT resources by unauthorized individuals
• Evidence of unauthorized access into a system containing private/confidential data
• An unauthorized attempt to physically enter or break into a secure IT area
• Unauthorized sharing of SF IT login credentials.
• Loss of an SF hardware resource such as laptop, tablet, cell phone, or removable data storage devices.
• Hacking or defacing of an SF online resource
• Documents containing private/confidential data sent in any form to a wrong recipient.
• Employee misuse of authorized access to disclose or mine private or confidential data.

5.2 Activating the Technology Incident Response Team

Upon receipt of a suspected information security breach, the CIO or designee, or other cognizant representative, will convene the Technology Incident Response Team (TIRT) without undue delay to expeditiously conduct a fact-finding investigation to determine whether a data breach or compromise has occurred.

5.3 Security Breach Initial Procedures

Containment - If the TIRT determines there was a data breach, the TIRT will partner with Information Technology and the affected office or department to contain the breach.

Assessment - Once the breach is contained and eradicated, the TIRT will assess the extent and impact of the breach.

Data preservation - All evidence related to the breach will be preserved for future analysis.

Documentation - Each step related to the breach and breach investigation will be fully documented.

Reporting and legal obligations - The TIRT will consult with the college’s General Counsel to determine specific legal obligations relating to the breached information and relevant reporting obligations such as:

• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• State of Florida laws
• Federal laws including the Federal Trade Commission Act and Gramm-Leach-Bliley Act
• Any relevant contractual obligations

If a data breach compromises protected personal information of over 500 individuals in the State of Florida, SF must inform the Florida Department of Legal Affairs as well as each affected or likely affected resident within 30 days of the breach

Where Federal OMB M-17-12 requirements would apply, SF will report actual or imminent breach of personally identifiable information (PII) to an OJP Program Manager no later than 24-hours after an occurrence of an actual breach, or the detection of an imminent breach.

Additionally, SF will be required to make certain materials available to the state government upon request, such as remedial procedures, incident reports, and computer forensic

5.4 Notification to Victims

5.4.1 Timing for Providing Notification

If required by law, SF shall notify affected individuals, regardless of the overall number of affected persons, without unreasonable delay and within 30 days upon discovery of a data breach. Notification shall be delayed, however, if a law enforcement agency informs SF that disclosure of the breach would impede a criminal investigation or jeopardize national or homeland security. A request for delayed notification must be made in writing or documented contemporaneously by SF in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The required notification shall be provided without unreasonable delay after the law enforcement agency communicates to SF its determination that notification will no longer impede the investigation or jeopardize national or homeland security.

5.4.2 Responsibility for Providing Notification

The Office of the General Counsel will review the proposed notification prior to being sent and will assist in drafting as required. A copy of the notification will also be provided to the Office of the President of SF prior to the time it is posted or sent to affected individuals.

5.4.3 Contents of the Notification

• A description of the incident in general terms and a timeline of the data breach.
• A description of the type of personal information that was subject to possible unauthorized access and acquisition.
• A description of the actions taken by SF to protect the personal information from further unauthorized access.
• A telephone number that affected individuals may call for further information as well as directions for the person to remain vigilant by reviewing account statements and monitoring free credit reports.
• The toll-free numbers and addresses for the major consumer reporting agencies.
• Beyond notification and except where required by law, SF makes no promise of service to individuals affected by a data breach. SF, however, may elect to provide additional services to affected individuals at its discretion.

5.4.4 Methods of Notification

• Written notice by first class mail to each affected individual
• or
• Electronic notice to each affected individual if communication normally occurs in that medium
• or
• Telephonic notification provided that the contact is made directly with the affected person(s).
• Substitute notice may be provided if the cost of providing the written notice required to each affected individual would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or SF does not have sufficient contact information to notify affected individuals. Substitute notice consists of all of the following:
  • Conspicuous posting of the notice on the institution website for a minimum of 45 days
  • and
  • Notification to major media outlets that reach the general public.
• Whenever notice of data breach is given to more than 1,000 persons, SF will notify, without unreasonable delay, all three major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

IT Responsibilities

All entities that collect customer data should "take reasonable measures to protect and secure data in electronic form containing personal information" on individuals. The SF ITS Department will be responsible for the following:

• Training employees on steps to take to ensure data security as part of their job duties.
• Purchasing data security software.
• Limiting employees’ access to data that each specific employee needs to complete their job requirements.
• Regularly auditing file access permissions.
• Implement procedures for reporting data breaches or violations of security protocol.
• Educating employees on any new developments in data breach security.
• Hiring a security expert to periodically review the security of SF data.
• Implementing disposal standards for customer data no longer to be retained.
• Implementing a yearly practice exercise of this policy and adjusting as necessary.

Contact

Questions regarding this Policy should be directed to Information Technology
Services at 352-395-5999 or can be emailed to help.desk@sfcollege.edu.

History/Revision Dates

Approved: 05/08/2017

Digital Media Sanitization Policy

Digital Media Sanitization Policy

Approved: August 13, 2010
Last Reviewed: 06/30/2011
Last Modified: 06/30/2011
Responsible Office: Information Technology Services

Purpose

The purpose of the Digital Media Sanitization Policy is to prevent and mitigate the risk of unauthorized disclosure of sensitive information during the transfer or disposal of digital storage media and computing devices.

Scope

This policy applies to college-owned digital media/devices that are generally used for storing or transmitting data and therefore have the capacity to contain sensitive information. Digital storage media includes but not limited to floppy disks, zip disks, DVDs, CDs, external hard drives and USB storage devices. Digital computing devices include but not limited to desktop computers, laptop computers, tablet PCs, printers, scanners and copiers.

Procedure

This procedure has been adapted for Santa Fe College from the National Institute of Standards and Technology (NIST) Special Publication 800-88 Standards for Media Sanitization.

The NIST Guidelines identifies four types of media sanitization to use with various types of storage media and devices – Disposal, Clearing, Purging and Destroying.

• Disposal involves discarding the
• Clearing makes the data on the media unreadable by normal means such as
• Purging removes the data and protects the removed data from laboratory grade attacks by means such as
• Destroying makes the media unusable by means such as disintegrating, pulverizing and

Disposing surplus digital computing devices: Computing devices declared surplus by the Property Office and sold or transferred to another entity shall be disposed in accordance with Procedure 5.7P – Tangible Personal Property Control and sanitized by a vendor under contract with the College to dispose of digital devices in compliance with this policy.

Transferring digital computing devices internally: Computing devices transferred to different departments and/or functions shall be sanitized in Information Technology Services (ITS) using the methods described below. An ITS specialist shall certify that the property has been sanitized in compliance with this policy by signing the Property Disposition form or the IT Property Disposition Form.

Disposing/recycling surplus digital storage media: Storage media considered obsolete or not needed by departments shall be sanitized using methods described below.

Media Sanitation Methods

Approved Overwriting Technology

The following overwriting software has been approved for disk sanitizing at Santa Fe College. The software overwrites the entire disk, multiple times if necessary, to ensure that all data is not recoverable.

• WipeDrive 0 Pro
• Ghost GDisk 0

Related Documents:

• Procedure 7P Tangible Personal Property Control Property Inventory Control Final Disposition form

History

08/13/2010 – Approved
06/30/2011 – Revised

Information Technology Policies v20110630

Guidelines for Student Privacy

Guidelines for Maintaining Privacy of Student Records

Approved:
Last Reviewed: 03/28/2011
Last Modified: 01/30/2001
Responsible Office: Registrar

The purpose of this policy is to provide guidelines for the protection and privacy of student information.

Guidelines

1. The Registrar and records personnel are entrusted with the responsibility of keeping and releasing student information. Except in the case of dependent students, even parents have no right of access to the records of students in post- secondary institutions. In all cases the decision to release such information shall be the responsibility of the Registrar.

2. College students’ rights of privacy and access regarding their educational records are articulated in the Family Educational Rights and Privacy (FERPA) Act of 1974, as Amended, commonly known as the Buckley Amendment. The act applies to all institutions that receive federal funding; thus, virtually all institutions fall under its jurisdiction.

3. Only those faculty members and employees of the educational institution who have a legitimate educational interest in a student’s record should access that record, i.e. students who have or are taking courses from a given instructor.

4. An educational institution is liable for the actions of its agents when those agents are acting within the scope of their authority. An employee not acting within the scope of his or her authority can be sued and found personally liable on several counts, including negligence, defamation of character, and violation of an individual’s constitutional rights.

5. Remember that your workstation is an extension of your access and rights to the student records. Do not tell anyone your password or give access to student records to anyone else. Do not leave your computer while student information is displayed on the screen, or leave your computer unattended while still signed-on, and be certain to sign-off immediately when you are done using the system.

6. Under no circumstances should an employee give information about students to other students, to other employees or to any other person who has not been authorized to receive such data by their college position or by the departmental supervisor. Although certain information may be released to faculty in your area, any such requests coming from students or from anyone off campus should be referred to the Office of the Registrar, Dean of Student Development, or Campus Security. If you are in doubt about an individual’s authority to receive student data, consult your department supervisor. Each member of the College plays an important role in maintaining the security and confidentiality of student records. Any breach of confidentiality of student records is in direct violation of Board of Trustee Rule 7.20.

Questions regarding student data system security procedures may be directed to your departmental supervisor.

History

01/30/2001 – Approved
08/24/2009 – Reviewed
03/28/2011 – Reviewed

IT Security, Privacy and Audit Statement

Information Technology Security, Privacy and Audit Statement

Approved: October 29, 2009
Last Reviewed: 08/30/2011
Last Modified: 08/30/2011
Responsible Office: Information Technology Services

Santa Fe College (SF) employs various measures to safeguard its Information Technology (IT) resources and its users’ accounts. Users should be aware, however, that the College cannot guarantee security and confidentiality. Users should therefore engage in safe computing practices by establishing appropriate access restrictions for their accounts, guarding their passwords and changing them regularly.

Users should also be aware that their uses of SF IT resources are not completely private. Although SF makes every effort to ensure privacy and does not routinely monitor or audit individual usage of its IT resources, the normal operation and maintenance of those resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns and other such activities that are necessary for the continuation of service. SF may also monitor or audit the activity and accounts of individual users of SF IT resources, including individual login sessions and the content of individual communications, without notice, when:

• the user has voluntarily made them accessible to the public, as by posting to a listserv or a web page;
• it reasonably appears necessary to do so to protect the integrity, security, or functionality of College IT resources or to protect the College from liability;
• there is reasonable cause to believe that the user has violated or is violating college policy;
• a user appears to be engaged in unusual or unusually excessive activity; or
• it is otherwise required or permitted by law.

Any such monitoring of communications, other than what is made accessible by the user, required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by the CIO in consultation with at least one college Vice President and/or college legal counsel. SF, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate college personnel or law enforcement agencies and may use those results in appropriate college disciplinary proceedings. Communications made by means of SF IT resources are also generally subject to the Florida Public Records Law to the same extent as they would be if made on paper.

Authority

This policy has been created by Information Technology Services by the authority described in the Santa Fe College Information Security Policy and shall be complied as though it were part of the Information Security Policy document.

References

Florida Public Records Law
Information Security Policy

History

02/02/2001 – Approved with the AUP
09/24/2009 – Removed from the AUP and revised

Information Technology Policies 08/30/2011

Information Security Policy

Information Security Policy

Approved: 7/07/2008 (Presidents Cabinet)
Last Reviewed: 08/30/2011
Last Modified: 08/30/2011
Responsible Office: Information Technology Services

Santa Fe College has established standards for the protection and security of information, and for the use of information and technology resources. Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality preserved and its access controlled. Security procedures protect information from unauthorized viewing, modification, dissemination, or destruction and provide recovery mechanisms from accidental loss. The security of information is the responsibility of all people who are authorized to access it and all who access it are expected to abide by these standards.

Purpose

This policy provides details about standards for the use of information and information technology resources. Santa Fe College is committed to respecting and protecting the security and privacy of information it creates, uses, transmits, stores and destroys in accordance with applicable laws and regulations as well as reasonable business judgment, discretion and common sense. Each person subject to this policy will sign a statement affirming that they have read, that they understand, and that they intend to comply with the provisions stated herein. The signing of this statement is a requirement for obtaining access to the college’s information systems and networks.

Scope and Application

The Information Technology Services (ITS) department is responsible for establishing and maintaining organizational information security policies, standards, guidelines and procedures. The focus of these activities is on information, regardless of the form it takes, the technology used to manage it, where it resides and which people possess it.

This policy applies to employees, students, volunteers, contractors, temporary workers and any others who use college information resources or who have access to information. The policy applies equally to any college information including but not limited to electronic data, written or printed information and any other intellectual property of the organization. The information resources also include hardware, software and manuals. All individuals agree not to disclose information improperly or to use information improperly or unethically for personal or professional gain, or to discredit or harass someone.

Introduction

Critical College Function: Reliable information and information systems are necessary for the performance of many of the essential activities of Santa Fe College. If there were to be a serious security problem with the information or information systems, the College could suffer serious consequences such as legal liability and tarnished reputation. Accordingly, information security is a critical part of our business environment.

Not withstanding the above statement, the following identifies certain restricted information that requires enhanced protections under the law.

• Personally Identifiable Information (PII) “
• Private Educational Records protected under the Family Education Rights and Privacy Act (FERPA)
• Credit card data regulated by the Payment Credit Card Industry (PCI)▪ Electronic Protected Health Information (ePHI) protected by the Federal Health Insurance Portability and Accountability Act (HIPAA) or Florida medical privacy
• Information specifically identified by contract or protected by Florida state law

Refer to the Guidelines for Safeguarding Restricted Data.

Owners, Managers, Stewards, and Users of such information all have obligations to identify such information and take reasonable precautions to ensure that it is kept confidential. The following section describes the roles and responsibilities of Owners, Managers, Stewards and Users in further detail.

Supporting College Objectives. This policy has been prepared to ensure that the College is able to support its educational mission and maintain its reputation for integrity. Because the prevention of security problems is considerably less expensive than correction and recovery, this document may also reduce costs over time.

Consistent Compliance. A single unauthorized exception to security measures can jeopardize other users, the entire organization, and other external business partners. The interconnected nature of information systems requires that all users observe a minimum level of security. This document defines that minimum level of due care. In some cases, these requirements will conflict with other objectives such as improved efficiency and reduced costs. The tradeoffs have been examined and it has been concluded that the minimum requirements defined in this document are appropriate for all college workers. Therefore, as a condition of continued employment, all workers (employees, contractors, consultants, temporaries, volunteers) must consistently observe the requirements set forth in this document.

Team Approach: Users must play an important role in the information security area. Because information and information systems are distributed to desktop PC’s, and sometimes used in remote locations via portable devices, the user’s role is an essential part of information security. Information is no longer the exclusive domain of ITS – information security is a team effort requiring the participation of every worker who comes in contact with the College and its information systems.

Every user must understand college policies and procedures about information security, and must agree in writing to perform his or her work according to such policies and procedures. Responsibility for information security on a day-to-day basis is everyone’s duty. Specific responsibility for information security is NOT solely vested in ITS.

Information Security Responsibilities and Procedures

Information Owners: College administrative officers shall be designated as the information Owners of all types of information used for regular business activities. When Owners are not clearly implied by organizational design, the Chief Information Officer (CIO) in consultation with the Presidents Staff will make the designation. Owners do not legally own the information; they are instead members of the administrative team who have policy-making responsibility for a particular set of information assets and are authorized to make decisions on behalf of the College. Owners, or their designees, are responsible for implementing information security policies and standards concerning their information.

Information Owners will be responsible for their information and information systems; recommend appropriate business use of their information; authorize information access and privileges; communicate control and protection requirements to Stewards and Users; monitor compliance; and periodically review requirements of information protection.

Information Owners must designate a back-up person to act in their absence. Owners may not delegate ownership responsibilities to third party organizations (such as outsourcing firms or consultants) or to any individual who is not a full-time employee.

Information Managers: Owners do not ordinarily approve requests for access. Instead, a user’s immediate supervisor, usually the department or program administrator, approves a request for system access based on job profiles. If a profile doesn’t exist, the managers’ responsibility is to create the profile and obtain the approval of relevant Owners.

Similarly, when a worker leaves the College, the worker’s immediate supervisor is responsible for promptly informing the Steward and Owner that privileges associated with the worker’s user-Id must be revoked. User-Id’s are specific to individuals and should not be reassigned to, or used by, others unless they are approved for generic accounts.

Managers must review all user access rights at least once a term and after any change in a users’ employment status (promotion, demotion, transfer or termination), and more frequent review of users with access to sensitive information.

Managers and Owners are expected to oversee User compliance with this and other security policies.

Information Users: Users are not specifically designated, but are broadly defined as any worker with access to information or information systems. Users are responsible for acting in accordance with college information security policies and will seek access to data only through the authorized processes, access only the data needed to carry out job responsibilities, participate in information security training/awareness programs, report suspicious activity and security problems, and agree in writing to abide by college security policies

Information Stewards: Stewards are in physical or logical possession of information and/or information systems. Like Owners, Stewards are specifically designated for different types of information. In most cases, Information Technology Services (ITS) will act as the Steward.

If a Steward is not clear based on the operational arrangements of existing information systems, the CIO in consultation with the Owners will designate a Steward. Stewards follow the instructions of Owners, operate systems on behalf of Owners, but also serve Users authorized by Owners.

In cases in which the information being stored is paper-based, and not electronic, the Steward responsibilities will logically fall to the department gathering the information. For such systems, ITS can offer guidance and suggestions, but will not provide the steward services.

Stewards shall define information systems architectures and provide technical consulting to Owners so that information systems can be built and deployed to best meet college goals. If requested, Stewards additionally provide reports to Owners about information system operations, information security problems, and the like. Stewards are furthermore responsible for safeguarding the information in their possession, including implementing access control systems to prevent inappropriate disclosure, as well as developing, documenting, and testing information contingency plans.

Information Security: The Information Technology Services (ITS) department and more particularly, the Information Security Specialist is the central point of contact for all information security matters at Santa Fe College. Acting as internal technical consultants, ITS is responsible for creating workable information security compromises that take into consideration the needs of various Users, Managers and Owners. Reflecting these compromises, ITS shall define information security standards, procedures, policies, and other requirements applicable to the entire organization. ITS is responsible for handling all access to control management activities, monitoring the security of the College information systems, and providing information security training and awareness programs to college workers. The department is additionally responsible for periodically providing the President’s staff with reports about the current state of information security.

ITS shall also provide technical consulting assistance related to emergency response procedures and disaster recovery. ITS is responsible for implementing procedures to promptly respond to virus infection, hacker break-ins, system outages, and similar security problems. Guidance, direction, and authority for information security activities are centralized for the entire organization in the ITS department.

ITS shall provide the direction and technical expertise to ensure that College information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. ITS will act as a liaison on information security matters between all departments, and shall be the focal point for all information security activities throughout the organization. ITS shall perform risk assessments, prepare action plans, evaluate vendor products, assist with control implementations, investigate information security breaches, and perform other activities that are necessary to assure a secure information-handling environment.

ITS has the authority to create, and periodically modify, both technical standards and standard operating procedures (SOP), which support this information security policy document. These SOPs, when approved by the CIO, have the same scope and authority as if they were included in this policy document. When a standard or procedure is intended to become an extension of this policy document, the document will include these words: “This standard or procedure has been created by the authority described in the Santa Fe College Information Security Policy, and shall be complied with as though it were part of the Policy document.”

Information Technology Services Responsibilities, Policies and Procedures

Information Technology Services shall establish and maintain sufficient preventive and detective security measures to ensure that Santa Fe College’s information is free from significant risk of undetected alteration.

Information Security Policy Document

• This Department is responsible for developing and maintaining this information security policy document.
• The policies and procedures in this document will be reviewed and evaluated on a regular basis.
• The President’s Cabinet fully supports the development and enforcement of these information security policies and procedures.

Information Security Organization

• The CIO will oversee and ensure compliance with policies and procedures within the IT organization.
• The Information Security Specialist will occasionally test users to ensure that consist compliance exists across the organization.
• Third Party connection access requirements to the computer network are documented in contracts and agreements.
• Information security requirements are fully specified in outsourcing contracts.

Asset Classification

• An IT Asset Management System shall be in place to track the movement of IT hardware, software and information assets.
• Sensitive information assets are classified as confidential.
• Classified information transmitted over insecure networks, such as the Internet, must be adequately encrypted.

Personnel Security

• Positions with specific information security job responsibilities have been documented in job descriptions.
• Applicants for positions that involve access to sensitive facilities receive a pre-employment background check and a thorough screening, including past criminal and credit checks.
• Information security awareness is recognized as a significant risk management issue.
• New employees receive information security policies as part of their orientation, and as part of ongoing communication activities.
• Information security breaches are logged and analyzed for patterns. A disciplinary process is in place for dealing with breaches.

Physical Security

• There are cipher or magnetic card locks on computer room doors, and codes / authorized cards are limited to authorized persons.
• Computer rooms have installed fire suppression equipment. Maintenance is performed at least annually.
• All computer systems (including PBX and communication rooms housed separately from the main data center) are tied into an Uninterrupted Power Supply (UPS) system. The computer room is equipped with a backup generator that is tested on a periodic basis.
• Computers and magnetic media are cleaned of sensitive information prior to disposal.

Computer and Network Security

• All computer systems and applications have documentation describing operational procedures. Documents are formally maintained and required for all applications. It is the responsibility of IT managers to ensure the accuracy of the system documentation, procedures and manuals.
• There is a documented change control process. Changes to most networks, operating systems or application systems are documented and approved.
• A formal capacity and resource planning effort has been established. New applications and machines are periodically reviewed. There is regular tracking of utilization and bottlenecks and some planning for future requirements.
• There is a documented virus policy and protection program. Virus detection software is installed on all file servers and personal computers. Virus signature updates are routinely posted. There are adequate preventative controls.
• Appropriate, frequent backups of business-critical systems are stored in remote, fireproof safes or hot sites. Thorough testing has proved that recovery processes work. Retention periods for all essential business information have been determined.
• Operations staff maintains a work log (system start and finish times, system errors and corrective actions, confirmation of input and output). Most systems are monitored, with critical systems given more attention.
• A network monitoring package and a commercial firewall and proxy servers are in place. Firewall configurations are based upon industry best practices or certified. Operating system and router settings are benchmarked on industry best practices, and kept up-to-date with patches/upgrades recommended by product vendors and/or other professional sources.
• Logs/lists of tapes to help trace or locate a backup tape are maintained. Media is physically secured and housed in locked rooms or cabinets.
• Basic controls secure e-commerce activities, including general email policies, secure FTP, and web servers implemented with basic security controls including SSL encryption.

System Access Control

• A formal procedure for requesting and approving system access exists. A written request form must be completed in order to create, modify, or delete any user
• All users are made aware of their responsibilities with respect to the selection and use of strong passwords. Passwords expire at least every 90 days. Stricter controls exist on sensitive systems or accounts. There are no shared or guest
• Only authorized users are able to gain access to networked systems from a remote location. There are adequate controls over the authentication of remote users using Virtual Private Network (VPN). Network access is generally controlled through the use of firewalls at major access
• Unique user IDs and strong passwords are the rule in order to gain access at the operating system level on all systems. Logon processes are secure, and passwords would be difficult to guess. There are no anonymous or shared
• All powerful system utilities are fully protected against unauthorized access. Most have been removed from the live systems and special access procedures are in
• Event logs are kept automatically for most systems showing unauthorized access attempts, privileged operations, major system events, and system failures. Logs are reviewed daily or in response to
• Reasonable controls are provided to most laptops, such as access control software using passwords, regular backups and virus prevention. Remote or mobile users must access network information and information systems through firewalls via the

System Development and Maintenance

• Policy requires that encryption be used for critical or sensitive systems, and for some mail or files transmitted over public networks. Adequate encryption and public key management techniques are used. Users are responsible for managing their own encryption products and public
• Formal procedures have been established regarding the steps needed to update or upgrade Operating Systems and User Applications. System administrators, testing personnel, and network management are involved in testing before any migration from test to production systems is
• Modification of vendor-supplied packages is strongly discouraged, and they are only modified directly in-house as a last resort. The written consent of the vendor is always obtained, with potential impacts to future releases documented and

Business Continuity Planning

• Management supports the development and maintenance of Business Continuity Plans (BCP) across the organization. IT Managers are responsible for coordinating BCP's. BCP’s are updated regularly, and are occasionally tested to determine
• BCP's address most of the following: outline of responsibilities, conditions for activating the plan, emergency procedures, contact lists, fall back and resumption, and a program for awareness, education, and
• A comprehensive IT disaster recovery plan is an integral part of all applicable BCP’s.
• All BCP’s are tested at least annually, and testing is scheduled for specific departmental BCP’s in response to modifications to affected application systems or computer systems. All connections with critical third parties are

Compliance

• There are strong management controls in place to monitor and ensure compliance. A control framework is designed in conjunction with legal advisors and management responsibilities are clearly allocated. There are regular independent risk-based compliance reviews and management reporting. Users who break laws or contractual obligations are considered for discipline and possible prosecution.
• All managers and staff are educated about their responsibilities through orientation, policy and other awareness methods (e.g., newsletters, posters, flyers, etc.). Staff must demonstrate active compliance with the controls, and must re-affirm their understanding of policies by annual acknowledgement and review.
• Standards for secure configuration settings are comprehensive and regularly updated.
• A comprehensive program of regular reviews of compliance with secure configuration standards is scheduled, aided by automated technical security auditing tools.
• Information security audits are conducted on a regular basis, based on risk analysis results. Automated audit/security scanning and assessment utilities and tools are frequently used.
• Audit, scan, or verification processes are documented; controls over access to audit materials have been established. Logging facilities are in places that have been designed for most application systems. Access to system audit tools and system audit facilities is strictly controlled.

History

07/07/2008 – Approved
02/12/2010 – Revised
08/30/2011 – Revised

Information Technology Policy v20110830

Internet Privacy Policy

Internet Privacy Policy

Approved: September 14, 2000
Last Reviewed: 08/30/2011
Last Modified: 08/30/2011
Responsible Office: Information Technology Services

The purpose of this policy is to inform visitors to the College’s website about the information collected and not collected about them.

Internet Privacy Statement

Thank you for visiting Santa Fe College’s website. Your privacy is very important to us. Simply stated, our policy is to collect no personal information about you when visiting our website unless you affirmatively choose to make such information available to us.

When you visit our website, our web server automatically recognizes only the Internet domain and IP address from which you accessed our website. This information does not result in the identification of your personal email address or other personal information.

In addition, we gather information regarding the volume and timing of access to our website by collecting information on the date, time and website pages accessed by visitors to the website. We do this to improve the content of our website, and this information is not shared with other organizations. Again, only aggregate information is collected, and individual visitors’ personal information is not identified.

If you choose to share personal information with us - by subscribing to list serves, sending us a message, or filling out an electronic form with personal information – we will use the information only for the purposes you authorized. Some of the information may be saved for a designated period of time to comply with Florida’s archiving policies, but we will not disclose the information to third parties or other government agencies, unless required to do so by state or federal law.

If you have questions about the privacy policy, please go to askSantaFe or call the Help Desk at 352-395-5999.

History

09/14/2000 – Mandated by State CIO Office
02/04/2010 – Revised
08/30/2011 – Revised

Information Technology Policy v20110830

Incident Response Policy

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) is committed to conducting business in compliance with all applicable laws, regulations and SF rules and policies. SF has adopted this policy to minimize possible negative consequences of a technology incident and to improve SF’s ability to promptly restore operations affected by such incidents. This policy will outline and define standard methods for identifying, tracking and responding to those incidents, following a pre-defined and consistent incident handling methodology.

Purpose

The purpose of this policy is to define what constitutes a security incident and to create a framework that will enable SF to respond in a quick, effective and standardized manner in the event of an information security incident. It will also assist in ensuring that all obligations under SF policy, along with state and federal laws and regulations, are fulfilled and adhered to with respect to such incidents. The incident response plan will define areas of responsibility during each phase and establish procedures for handling each phase with the goal of minimizing negative consequences and resuming normal operations as quickly as possible.

These procedures are not intended to replace in part, or in whole, pertinent Florida or federal laws. Such laws include the Computer Crimes Act, Chapter 815 of the Florida Statutes; the Public Records Law; Chapter 119 of the Florida Statutes; 501.171 of Florida Statutes for security of confidential personal information; or obscenity and child pornography laws.

Scope

This policy applies to users of any IT resource owned, operated, leased, licensed, or managed by SF. Users include, but are not limited to, students, faculty, staff, contractors, alumni, guests or agents of the administration, and external individuals and organizations using IT resources, wired or wireless, regardless of location and ownership of the connecting device.

Definitions

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Information Security Incident - Sometimes referred to as an “electronic security incident”, a “technology incident”, or simply an “incident”, an information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operations; or violation of explicit or implied acceptable use policy. Information security incidents range from unauthorized intrusions into SF network systems to mishandling information in a way that may risk its confidentiality, integrity, or availability.

1. Examples of information security incidents included (but not limited to):
   1. Computer security intrusion
   2. Unauthorized use of systems or data
   3. Unauthorized change to computer or software
   4. Loss or theft of equipment used to store private or potentially sensitive information
   5. Denial of service attack
   6. Interference with the intended use of information technology resources
   7. Compromised user account
2. A serious incident is an incident that may pose a threat to college resources, stakeholders and/or services. Specifically, an incident is designated as serious if it meets one or more of the following criteria:
   1. Involves potential unauthorized disclosure of sensitive information (as defined below)
   2. Involves serious legal issues
   3. May cause server disruption to critical services
   4. Involves active threats
   5. Is widespread
   6. Is likely to raise public interest

Confidential Data - For the purposes of this policy, confidential data or confidential information is information stored and/or housed by electronic methods for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be required. Unauthorized access to or disclosure of confidential information could constitute an unwarranted invasion of privacy and cause financial loss and damage to the College’s reputation and the loss of community confidence.

Policy

5.1 Incident Reporting

Technology and computing systems are essential to the institution's academic and financial well-being. A security breach in any one of these systems could have a devastating effect on each member of the SF community. Each user is a stakeholder in the security of these systems and is encouraged to exercise active vigilance in reporting suspected information security vulnerabilities.

If you believe that your computer system has been compromised in any way, it is best to report the incident to the Help Desk at extension 5999. Our support staff will help you assess the problem and determine how to proceed. Since quick response is essential in limiting the damage caused by a security incident, we encourage everyone to report information that may help identify breaches in the security of SF technology systems.

If you witness a physical crime in progress, such as someone stealing a computer system, you should always alert the Santa Fe College Police Department by calling 352-395-5555 or call 911.

5.2 Incident Classification/Severity Assessment

In order to facilitate the accurate and productive response to any information security incident, all incidents must be classified and assessed by the Technical Incident Response Team (TIRT) for severity. The classification levels below are designed to indicate how many people are affected, or potentially affected, by the incident being addressed. The lowest level includes incidents that impact a single person, while the highest level may affect the entire college community. As the incident progresses, its classification may be reevaluated and changed to ensure proper handling.

It is also possible that one incident may fall under multiple classifications. If this happens, the classification with the highest severity will dictate the course of the incident response.

Low

• Threats, harassment, or criminal offenses involving individual user accounts.
• Compromise of individual user accounts.
• Compromise of desktop systems.
• Forgery, misrepresentation, or misuse of resources.
• Denial of service on individual accounts.

Medium

• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks to infrastructure, confidential service accounts or software areas.
• Large-scale attacks of any kind (worms, sniffing attacks, etc.).
• Some network failures, denial of service, minimal impact to business operations occur, however there is minimal loss or compromise of information.

High

• Significantly impact the reputation of the institution or its ability to conduct normal operations.
• The release of sensitive, confidential, or privileged data.
• Affects business continuity.
• There is a reasonable expectation that Confidential Data was accessible to unauthorized individuals as a result of the incident.
• There is a reasonable expectation that the incident has or may result in financial theft or loss of intellectual property.
• The incident could have long term effects on the Campus community.
• The incident affects critical systems or has a Campus-wide effect.
• The incident is a violation of Florida State and/or Federal law.
• There is a possibility that the incident has or could result in compromise of additional SF systems or data.
• There is a possibility that physical harm could result to any person or to College property as a result of the incident.
• There is a possibility that the incident could affect the availability of SF or department mission-critical infrastructure, systems, applications, or data.
• The data or systems involved in the incident are impacted by state or federal regulation, grants, or College policy.

5.3 Incident Response for Each Severity Level

• Regardless of the severity level, the following will occur:
  • The ITS Help Desk technician taking the initial report will document as many of the details of the incident as possible in the Help Desk ticketing system. They will then determine what the problem is and assess its magnitude (low, medium, or high) based on all currently available information.
  • Once the Manager of Systems and Networking or his/her designee is notified of an incident, she/he will task appropriate personnel to begin the containment and recovery procedures. If they do not have enough people on-hand to properly contain and/or recover from the incident, they will work with the User Support Manager and the ITS Director to task employees from other areas of ITS.
  • Once the Chief Information Officer (CIO) is notified of an incident, they will conduct an investigation to determine if the TIRT needs to be activated. More details are provided below for each level of severity.

Low

• If the incident type -- such as an infected computer -- falls under the duties and responsibilities of the Help Desk or another member of Desktop Support, then the appropriate technician will handle the incident themselves and only report the results to User Support Manager as necessary.
• If the incident involves a legal issue, then the technician will report the incident to the User Support Manager.
• If an incident is escalated to the User Support Manager, they will determine if the incident can be handled at the Desktop Support level, or if it needs to be escalated to the Systems and Datacenter Manager and/or the CIO.
• If the CIO is notified, they will investigate and may activate the TIRT under extreme circumstances, or they may simply turn the matter over to the SFPD and/or the College’s Legal Department.

Medium

• If the Help Desk determines that multiple people are being affected by a particular incident, they will notify a Systems and Datacenter Manager or technician (or the ITS Director, depending on the issue) and the User Support Manager as soon as possible. They may also notify the CIO for informational purposes.
• Once an incident has been escalated from the Help Desk, the area of ITS in charge of the incident may notify the CIO on a case-by-case basis. They will also keep User Support Manager and the Help Desk up-to-date on the incident in order to mitigate misinformation.
• If the CIO is notified, they will begin the investigation and may activate the TIRT on a case-by-case basis.

High

• If the Help Desk determines that multiple areas of the college are being impacted by a particular incident, they will notify the User Support Manager, Systems and Datacenter Manager, and the CIO as soon as possible.
• Once the CIO is notified, they will begin the investigation process and activate the TIRT.
• The CIO or designee will keep User Support Manager and the Help Desk up-to-date on the incident in order to mitigate misinformation.

5.4 Technology Incident Response Team (TIRT)

5.4.1 TIRT Structure

TIRT Leader: The CIO is responsible for organizing, activating, and directing the TIRT. Typical duties center on managing incident response processes, but also updating policies and procedures to better anticipate and respond to future incidents. The CIO performs high-level direction of the team’s overall activities including confirmation of an incident.

TIRT Incident Lead: This position has ownership of the particular incident -- or set of related incidents -- and is designated to coordinate all TIRT actions and responses. All information about incidents must be passed through the TIRT Incident Lead before it leaves the team and is passed on to the organization or the public. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. The Incident Lead should have a fundamental understanding of information technology but does not necessarily need to possess a high degree of information technology proficiency.

TIRT Associate Members: Although additional temporary team members may be required, depending on the incident type and their area(s) of expertise, the TIRT should have core member representation from the following areas:

• Human resources
• General Counsel
• SF Police Department
• Records
• Student Life
• IT Security
• Risk Management
• Counseling (as needed)
• Finance
• Communications and Creative Services

TIRT Availability: Because technology incidents can occur at any time, the availability of the team is paramount. To maximize the full potential of the team, members must be available outside of normal business hours and have proper clearance in the event of dealing with sensitive or confidential data.

5.4.2 Activating the TIRT

Upon notification of a technology incident, the Chief Information Officer (or designee) will carry out an initial investigation and make the decision whether to activate the TIRT. The TIRT has both an investigative and problem-solving component. Its mission is to be responsible for investigating, classifying, resolving, and documenting technology incidents in a timely, cost-effective manner and to report their findings to management and other appropriate authorities as required. During their investigation, they may call upon additional offices and resources to carry out the investigation and the remediation of any incident. The TIRT is authorized to take appropriate steps deemed necessary to contain, mitigate, or resolve a technology incident, and their responsibilities include, but are not limited to:

• Determining the impact, scope, and nature of the event or incident
• Notifying affected constituents of the incident
• Understanding the technical cause of the event or incident
• Researching and recommending solutions and work-arounds
• Making the decision to involve outside entities, including law enforcement agencies, vendors, and computer forensic experts
• Identifying and mitigating risks
• Assessing incident damage and cost
• Discussing, reviewing, and documenting any lessons learned from the incident

Policy Enforcement

Refusing to cooperate under this policy shall be deemed to be in violation of this policy and will be reported to the SF Chief Information Officer (CIO). The CIO reserves the right to deny or immediately remove access privileges to individuals or groups without prior notice to protect SF technology resources. The CIO may delegate further enforcement of this policy to the appropriate persons in coordination with disciplinary procedures for students, faculty, and staff.

Contacts

Questions regarding this Policy should be directed to Information Technology Services at 352-395-5999 or can be emailed to help.desk@sfcollege.edu.

History/Revision Dates

This policy replaces a prior policy entitled “Information Security Incident Response Policy.”

Approved: 05/08/2017

Student Use

Student Guide to Information Technology at SF

Choosing a college or university is one of the most important decisions a family can make. As information technology becomes increasingly important in our personal and work lives, prospective students and parents are looking more closely at the way colleges and universities provide and support technology resources for their students.

To assist in this process, this guide was written to help you understand some of the ways in which information technology resources are used at Santa Fe College. It is based on a list of questions developed by Educause for prospective students

This document is divided into four parts - Academic Experience, Information Management, Student Life, and Services and Fees. If you have other questions about technology at SF, please call the Help Desk at 352-395-5999.

Academic Experience

Active learning with technology bringing students, faculty and information together

You will be joining a community of people devoted to creating and sharing information. Finding answers to the following questions can help you understand how technology is used to support learning and collaboration in your areas of interest or possible major(s).

Coursework—in and out of class

Q1. How does the campus use technology to enhance teaching and learning in my areas of interest?

Faculty use technology in many ways, from the use of PowerPoint to multimedia presentations that transcend the classroom environment.

Q2. Is there technology in the classrooms?

Yes, most classrooms at SF have installed multimedia carts and overhead projectors. These carts are connected to the Internet, contain computers, DVD/VCR's and document cameras. If a classroom does not have an installed multimedia cart, Information Technology Services will deliver one to the room.

Q3. Will I use technology to collaborate with other students in both my introductory and advanced courses?

Most likely. Your instructor may require you to use Canvas, the College’s online learning management system (LMS), to download handouts, submit assignments, take tests, or communicate with your instructor and classmates. Some courses are offered entirely online, some are blended (half classroom/half online), and some have a Canvas component. It is up to the instructor whether to use Canvas to supplement classroom learning. You can find Canvas tutorials (called guides), submit a Problem Report, and find other helpful information at Open Campus.

Q4. Does the school give credit for courses taken online from other institutions and sources of instruction?

Yes, the Records Office will evaluate our college transcripts and determine the course equivalencies. Online courses are evaluated just like a face-to-face course and you can view the results of this process on eSantaFe once it is complete.

Support Services

Q5. Does the school have multimedia labs I can use to work on projects? Is there help available?

Yes, If multimedia projects are required for a class, the Media Studio is available, by appointment, for students to work on their projects.

Q6. Are library collections and resources—such as catalogs, research databases, special collections, course reserves, full-text electronic journals, books, and streaming media— available online and accessible off- campus?

Yes, the Lawrence W. Tyree Library at SF provides online access to the library catalog and research databases through eSantaFe for off-campus use.. In addition to the library’s physical holdings, the library catalog provides access to the library’s electronic book collection. The library subscribes to 108 electronic databases, 86% of which include full-text periodical articles. From the library’s homepage, students may also access a directory of Web sites recommended by the librarians. All of these electronic resources are accessible both on and off-campus.

Q7. What technology resources and help are available to students with special needs?

SF offers a variety of adaptive services for students with special needs through the Disabilities Resource Center. The DRC maintains a variety of adaptive software, hardware, and devices (some for loan). The L.W. Tyree Library offers services for students with special needs including reference services, audiovisual resources and assistive technologies.

Q8. Can the library deliver documents to me electronically, either via email, file transfer, or through Web posting? Is there a cost associated with that service?

Yes, the L.W.Tyree Library provides access to full-text periodical articles via library subscription databases. Students may download or email these articles. Upon request, students may also have these articles emailed to them by a librarian. If the student needs an article that is not available through the library’s databases or print holdings, he/she can request the article from another institution via interlibrary loan. In cases where the lending institution has access to the article electronically, it may be sent to the student via email. Unless the lending library charges a fee for these services, electronic document delivery is free.

Q9. What kind of help does the library provide for research assistance, and when is the help available?

The L.W.Tyree Library Reference Librarians routinely provide reference assistance in person, by phone, email and online chat (Ask a Librarian). Users may request individual sessions tailored to their subject using the “Book a Librarian” service. Librarians teach at the Centers as well as the Northwest Campus. We support all online students with reference assistance through online chat, Book A librarian, email or phone reference, and as a Virtual Librarian presence in their online class (if enabled by the instructor). SF Reference Librarians provide these services during all open hours (84 hours per week): Mon. – Thurs. 7 a.m.–10 p.m., Fri. 7 a.m.–4:30 p.m., Sat. noon– 6 p.m. and Sun. noon–8 p.m. Additional evening and weekend chat reference hours are available through the statewide service. During final exam period, the library offers extended weekend hours from 10 a.m.–10 p.m. on Saturday and Sunday.

Looking toward graduation and a career

Q10. Does the campus offer general or profession-specific training programs that will ensure I am fluent in current information technologies when I graduate?

Yes, the campus offers a variety of opportunities. Non-credit classes are available through the Center for Business and through Community Education. Introductory credit courses, such as CGS1000 (Introduction to College Computing) and OST2854 (Introduction to Computer Applications) are available. Many specific program areas also offer specific workforce computer courses.

Information Management

Taking care of business online

Your campus experience will include some time spent taking care of practical matters, such as registering for classes, requesting transcripts, and paying tuition. Find out which transactions and the services that support them can be handled online and at a distance.

Managing your personal information

Q1. What personal information can I view online—my contact information, grades, degree progress, financial status, or other information?

Through the student portal (eSantaFe), students can view grades, degree progress, financial aid status and contact information.

Q2. Can I update any of this information online myself?

Yes, students can change their addresses, phone numbers and preferred email addresses online. Changes to other information , such as social security numbers and name changes, must be completed in person at the Records Office, mailed to the Records Office (handwritten letter), or faxed to the Records Office (handwritten letter) at 352-395-5922.

Conducting Business

Q3. Which of the following can I do online?

Through the student portal (eSantaFe), students can access the following services:

• Submit applications
• Apply for financial aid and view the status of awards
• View degree audits to check progress toward completion of their degree requirements
• Register for courses and adjust their course schedules
• Pay their tuition fees
• View their grades
• View and print unofficial transcripts
• Request official transcripts
• Apply for graduation

Q4. What campus and community services are covered by debit card systems?

Fee payments are covered by debit-card systems.

Q5. Is the school catalog-including course descriptions, degree requirements, academic policies, and the semester/term schedule of classes-available on the Web?

Yes, the SF catalog is available online and the term schedule is available through the student portal (eSantaFe).

Privacy, security, and usage rules

Q6. What security and privacy policies are in place to protect student information?

eSantafe is a secure site for students and can only be accessed by a student with an ID and password. Student can change/reset their own passwords. FERPA policies are in place to protect student’s identity.

Q7. How does the campus educate students and protect them from identity theft?

Orientation, unique ID’s and passwords to access eSantafe, and FERPA notifications to students via catalog, web, and enrollment guide.

Q8. How does the campus notify students of their rights under the federal Family Educational Rights and Privacy Act (FERPA)?

Students are provided information on their rights to privacy as defined within FERPA through the College catalogs, eSantaFe and Enrollment Guide.

Q9. How does the campus manage e–mail spam and spyware?

SF has spam filters in place across the campus networks, and on desktop computers in all computer labs and classrooms. Email is filtered using a hosted spam service.

Student Life

Enriching your extra-curricular experiences with technology

Whether you will be a full– or part–time student, the school's social, extracurricular, and career services activities will be an important part of your educational experience. Find out about the technology tools that facilitate different communities on campus, allowing for communication, personal development, and getting together (in person and online).

Accessing computer services

Q1. Where is public access to computers available to students? Examples include computing labs, cyber cafés, residence hall computers, and wireless access.

Public access computer labs for students may be found at the Northwest Campus in the following locations: Academic Foundations (G-06, G-14, G-36), UF@SF Center (HA-132), Career Exploration Center (R-217), Natural Sciences (J-110), Big Open Lab (N-216), Center for Student Leadership and Activities (S-167), SF Gym (V-018), the Health Science TLC ((W- 233), and the Lawrence W. Tyree Library (Building Y). In addition, The Math Studio (P-220) is a large computer lab that is available for students working on any type of math. The computer labs in the A.A. Advisement Center (R-201) and the Registration Lab (R-226) are available for admissions, registration, advisement, and financial aid purposes only.

Open computer labs may also be found at the Educational Centers, including Andrews (SA-204), Blount (DB-115 and DC-002), Perry (PA 110 and PA 145), and Watson (KB-103).

Wireless access is available to all students, faculty, and staff with 100% coverage at all SF centers and the Northwest Campus.

Q2. Does the institution provide institutional email accounts for all students and use email as an official medium of communication?

Yes, Santa Fe provides Gmail accounts to current and former students. Email is an official means of communications and eSantaFe (the student portal) is the official means of notification of important college business related information.

Q3. Does the institution provide and support electronic space for personal student Web pages?

SF does not provide student access to electronic space for personal Web pages.

Q4. Is network bandwidth limited for peer-to-peer software, gaming, Web cams, or other programs requiring high levels of network services?

To ensure that all students are able to obtain their fair share of network resources, bandwidth is monitored and may be limited to applications that can have a negative impact on the wired and wireless student networks.

Q5. Is there a campus code of behavior about using computer resources?

Yes, the Student Conduct Code (College Rule 7.23, Article III, #18) contains language addressing appropriate use of computer resources.

Q6. Does the campus have policies addressing peer-to-peer file sharing, computer viruses, and copyright violations?

Yes, the Student Conduct Code (College Rule 7.23, Article III, #18 contains language addressing appropriate use of computer resources.

Connecting with others

Q7. Is contact information for students, faculty, and staff readily accessible electronically?

Yes. The College’s Telephone Directory and a listing of Instructor websites is available online.

Q8. Does the campus make online communities available (for example, forums, bulletin boards, and so forth)?

Yes. There are over 40 Facebook Pages hosted by SF departments, student organizations, and programs designed to connect students with similar interests and to encourage conversation among SF students.

Q9. Are there Web sites for student organizations and clubs?

Yes. All student organizations have Directory information listed online and have the ability to create and maintain their own sites to be hosted on an SF server.

Q10. What technology–supported career–planning services are available to students?

Resources in the Career Exploration Center (R-217):

• Discover - An online multimedia career guidance program which includes assessments of a person's Interests, abilities, and values, and uses the results to suggest occupations that match. It includes, good databases on occupations, the majors that train for those occupations, and the colleges which offer those majors. Discover also has a nice section to help the user in performing an effective job search, creating resumes, and improving job interview skills.
• Choices - An online career information system supported by the Florida Department of Education. It includes an excellent database on occupations, including salary levels and employment needs for different regions of Florida, plus descriptions of majors, colleges, and technical schools in Florida and the US. Choices also include a Scholarship Finder, which is a good starting point in searching for financial aid alternatives.
• MyRoad by the College Board - MyRoad has databases on occupations, majors and colleges similar to Discover and Choices, but links them to personality type through the ORA Personality Profiler, which is similar to the Myers Briggs Type Indicator (r).
• Guide for Occupational Exploration Online - A simple and comprehensible career interest inventory based on U.S. Department of Labor categorizations, thus it interfaces readily with the DOL databases on occupations.
• CollegeSource - College search engine, to find schools that offer a given major and meet other criteria. CollegeSource provides a comprehensive collection of catalogs from U.S. colleges and universities going back many years, useful in evaluating out-of-state transcripts and historic transcript records.
• Collections of career information resources - links to sites offering reliable and timely data on the job market, employment trends, salaries, training requirements, training availability. These include sources from the U.S. Department of Labor, the Florida
• Customized career information searches - CRC staff will assist students and other interested parties in performing web searches and institutional research to gain information of relevance to their academic and career plans. Such searches can be done by a visit to our offices, via e- mail, by telephone, or by any combination thereof.

Services and Fees

What you pay for and what you get

There is a strong connection between the quality of technology services and the associated costs. There is also a wide variation in the ways campuses charge for these services. To evaluate the benefits you will receive and to compare costs, you'll need answers to these questions.

Fees and expenses

Q1. How much is the Technology Fee at SF and what does it cover?

SF charges a per credit hour technology fee. The fee is used to enhance of student computers and classroom technology.

Q2. Will I be required to purchase my own computer?

Although computers are available to students in over 50 computer labs, students are required to have access to an Internet connected PC from off campus and some programs may require students to bring their own laptop or tablet computer to class.

Q3. Does the campus make computing and network access financially accessible? Is special student pricing offered for computers and peripheral equipment?

Yes, students can purchase computers at a discount through the college's Dell University purchasing site.

Technical Support

Q5. What hardware and software standards, if any, does the campus require, recommend, and/or support?

Online courses, as well as any course using an online component, are delivered by the Canvas Learning Management System (LMS). The Canvas LMS supports the latest versions of Internet Explorer, Firefox, and Chrome. This is true for Windows, Mac OS X, and Mac OS 9.x. Some courses may require specific software such as Microsoft Office. Your computer should be fast enough that you do not feel hampered by its speed or capabilities. Any computer purchased new in the past 5 years is capable of running one of the supported browsers. Support for specific extra software such as Microsoft Office may require a specific operating system which will have its own requirements. In general, your instructor must be able to open and view any documents, etc that you create as part of your course work. SF faculty and staff use Microsoft Office 2016, which is also installed in labs.

Q6. What kinds of support services (help desk, training, troubleshooting) are provided by the campus, and when are they available?

The regular SF Help Desk cannot help you with Canvas technical issues, ITE student accounts or classrooms/labs (K-04 through K-10 and N building's first and third floors), problems with your personal electronic equipment, or non-SF Internet connections. But, they can help if you are having trouble with SF-owned computer equipment or services. You can find answers to common problems by visiting the Frequently Asked Questions (FAQ) page.

Help Desk support is available Monday through Friday from 8 a.m. until 4:30 p.m. - excluding college holidays and other closures -- by email (help.desk@sfcollege.edu) and by phone 352-395-5999.

Q7. Does the campus have a plan for keeping its hardware and software current, and if so, what is the replacement cycle?

SF replaces the desktop computing and printing resources in labs and classrooms on a four to five year cycle.

Q8. If I bring my own computer to school, what kind of technical support can I expect from the campus?

SF does not currently provide hardware and software services for students.

Other Services

Q9. How does the campus support printing for students, and is there a charge for this service? Printing is available at all campus locations. On the Northwest Campus, pay-for-print is available in the Business labs (Building C), BOL (Building N), Center for Student Leadership and Activities (Building S), and the Library (Building Y). Student copiers are pay for use copiers.

Q10. Does the campus provide wireless network coverage? If so, how much of the campus has wireless connectivity?

Wireless access is available to all students, faculty, and staff with 100% coverage at all SF campuses.

Q11. What security measures are provided by the institution's IT department and what will be the student's responsibility (for example, antivirus software)?

SF provides antivirus and antispyware software on all SF-owned student computers. Students are strongly encouraged to install security protection on their personal computers and keep their operating systems maintained with the latest security patches.

Q12. Does the campus include the cost of technical accessories (for example, a technology- enabled note-taking pen that provides an interface to a CMS) in its technology fee, or are students required to purchase these items separately?

There are no technical accessories provided for students.

Student Computer Use Policy

Approved:
Last Reviewed: 07/18/2012
Last Modified: 07/18/2012
Responsible Office: Information Technology Services

This following statement is placed on all student computers and students must agree to the statement before using college-owned computers. 

Computer Use Policy

ATTENTION – YOU WILL LOOSE COMPUTER PRIVILEGES AT ALL SF LABS IF YOU:

1. Display, print, or transmit pornographic material in any SF computer lab 
2. Display, print, or transmit racist, sexist, obscene or harassing messages and/or materials using email or SF’s access to the 
3. Modify or alter a computer workstation by any means, including but not limited to installing programs, saving or deleting workstation files, and changing the desktop configuration 
4. Use the email to transmit unsolicited mail (SPAM). SPAM is defined as “the sending of a message, individually or en masse, to people who did not request it and/or would not otherwise choose to receive ”

If you violate these policies, you will be denied access to all SF Labs pending your hearing with the Student Disciplinary Committee. 

I have read and agree to the Computer Use Policy.

History

07/18/2012 – Revised

Information Technology Policies v20120718

Appropriate Use Policy

Approved: February 2, 2001
Last Reviewed: 08/30/2011
Last Modified: 08/30/2011
Responsible Office: Information Technology Services

Purpose

Santa Fe College has made a significant investment in the information technology infrastructure to support its mission in teaching, learning and administration. To that end, this policy aims to promote the following goals:

• To ensure that IT resources are used for their intended purposes;
• To ensure that the use of IT resources is consistent with the principles and values that govern use of other college facilities and services;
• To ensure the integrity, reliability, availability and performance of IT systems; and
• To establish processes for addressing policy violations and sanctions for violators

Scope

This policy applies to all students, employees, volunteers, temporary workers, guests and other workers at SF, including personnel affiliated with third parties, who use IT resources owned or leased by SF and whether from on campus or from a remote location. Other policies may govern IT resources managed by different departments of the College.

Policy

Statement Access to college IT resources is a privilege that is granted by SF and subject to certain rules, regulations and restrictions. Such access carries with it legal and ethical responsibilities and should reflect the honesty and discipline appropriate for our community of shared IT resources. Appropriate and ethical use demonstrates respect for intellectual property, ownership of data, system security mechanisms and individuals’ right to privacy and to freedom from intimidation or harassment.

General Requirements

• You are responsible for exercising good judgment regarding appropriate use of SF IT resources in accordance with Federal and state laws and SF policies, standards and guidelines.
• For security, compliance and maintenance purposes, authorized personnel may monitor and audit equipment, systems and network traffic per the IT Security, Privacy and Audit Statement. Devices that interfere with other devices or users on the SF networks may be disconnected. Information Technology Services (ITS) prohibits actively blocking authorized audit scans.
• You should be considerate when using shared IT resources. Although there are no set limits on bandwidth, disk space or CPU time applicable to all IT resources, users may be required to limit or refrain from specific uses if such use interferes with the efficient operation of IT resources.

User Accounts

• You are responsible for the security of data and systems under your control. Keep passwords secure and do not share account or password information with anyone, including other students, personnel, family or friends.
• You must maintain passwords in accordance with the Password Policy and Guidelines.
• You must ensure that college-protected information, as defined in the Guidelines for Safeguarding Restricted Data, remains within the control of SF at all times. Conducting SF business that results in the storage of protected information on personal or non-SF controlled systems, including devices maintained by a third party with whom SF does not have a contractual agreement, is prohibited. This specifically prohibits the use of an email account that is not provided by SF.

Information Technology Resources

• You are responsible for ensuring the protection of assigned SF resources.
• You must not use IT resources to gain unauthorized access to remote computers or to impair or damage the operations of SF computers, networks and online services.
• You must not interfere with College device management or security system software.
• You should contact ITS before purchasing hardware or software that connects to or runs on SF computers or networks.
• You must not use IT resources for personal financial gain. Occasional personal use of SF IT resources for purposes other than commercial or financial gain is permitted when it does not consume a significant amount of IT resources, does not interfere with college business or with the performance of a user’s job, and is otherwise in compliance with this policy.

Network Use

You are responsible for the security and appropriate use of SF network resources under your control. Using SF resources for the following is strictly prohibited:

• Causing security breach to SCF network resources, including but not limited to, accessing data, servers or accounts to which you are not authorized, circumventing user authentication on any device, or sniffing network traffic.
• Causing a disruption of services to SF network resources, including but not limited to, packet spoofing and denial of service, heap or buffer overflows and forged routing information for malicious purposes.
• Violating copyright law, including but not limited to, illegally duplicating or transmitting copyrighted pictures, music, video, software and learning resource materials.
• Use of the Internet or SF networks that violates Federal or State laws, or college policies, including but not limited to, laws of defamation, privacy, sexual harassment, obscenity and child pornography.
• Intentionally introducing malicious code, including but not limited to, viruses, worms, Trojan horses, spyware, adware and keyloggers.
• Port scanning or security scanning on a production networks unless authorized by Information Technology Services.
• Disabling or bypassing college authorized security measures, such as local firewalls, virus checking software, web-site restrictions, etc.

Electronic Communications

The following is strictly prohibited:

• Inappropriate use of the communication equipment and services, including but not limited to, supporting illegal activities, and procuring or transmitting material that violates SF policies against harassment or the safeguarding of confidential or protected information.
• Sending Spam via email, text messaging, instant messaging, voice mail or other forms of electronic communications.
• Forging, misrepresenting, obscuring, suppressing or replacing a user identity on any electronic communication to mislead the recipient about the sender.
• Posting the same or similar non-college-related messages to large numbers of Usenet groups (news group spam)
• Use of SF email or IP address to engage in conduct that violates SF policies or guidelines. Posting to a public newsgroup, bulletin board, or listserv with a SF email or IP address represents SF to the public; therefore, you must exercise good judgment to avoid misrepresenting or exceeding your authority in representing the opinion of the College.

Enforcement

The college considers any violation of this policy to be a serious offense. Violators may be subject to disciplinary action, up to and including suspension from school and termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with SF.

Authority

This policy has been created by Information Technology Services by the authority described in the Santa Fe College Information Security Policy and shall be complied with as though it were part of the IS Policy document.

History

02/02/2001 – Approved
10/12/2004 – Revised
09/24/2009 – Major revision
12/12/2010 – Revised
08/30/2011 – Revised

Information Technology Policies v20110830

Appropriate Use of Information Technology Resources Policy

Introduction

The purpose of this policy is to provide guidelines for the appropriate use of SF's information technology resources as well as for the College's access to information.

Santa Fe College acquires, develops, and maintains computers, information systems, telephone systems and networks. These information technology resources support the mission, values and goals of the College and are intended for College-related uses, including the direct and indirect support of instruction; administrative functions; student activities; and the free exchange of ideas within the College community, and among the College community and the wider local, national, and world communities.

This policy applies to all individuals who access information technology resources owned or operated by the College, whether affiliated with the College or not, and whether on campus or from remote locations. Additional policies may govern specific information technology resources provided or operated by specific departments of the College.

Rights & Responsibilities

Access to information technology resources owned or operated by the College is a privilege that is granted by the College and subject to certain rules, regulations and restrictions. Such access carries with it legal and ethical responsibilities and should reflect the honesty and discipline appropriate for our community of shared information technology resources. Appropriate and ethical use demonstrates respect for intellectual property, ownership of data, system security mechanisms, and individuals' right to privacy and to freedom from intimidation or harassment.

General Guidelines

Appropriate use of information technology resources means that users:

• Must comply with federal and state laws, College rules and policies, and the terms of applicable contracts including software licenses while using College information technology resources. Examples of applicable laws, rules and policies include the laws of defamation, privacy, copyright, trademark, obscenity and child pornography; the Florida Computer Crimes Act (Chapter 815, Florida Statutes), the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which prohibit "hacking," "cracking" and similar activities; the College's Student Conduct Code; and the College's Sexual Harassment Policy. Users who engage in electronic communications with persons in other states or countries or on other systems or networks may also be subject to the laws of those jurisdictions and the rules and policies of those other systems and networks. Users with questions as to how the various laws, rules and resolutions may apply to a particular use of College information technology resources should contact the Department of Information Technology Services for more information.
• Must accept responsibility for account privileges. Users are responsible for obtaining proper authorization before using College information technology resources. Under no circumstances should users disclose their account login information or use another person's account login. In cases when unauthorized use of accounts or resources are detected or suspected, the account owner should change the password and report the incident to the network administrator. Electronic information is a valuable College resource. Users are responsible for safeguarding data connected with their accounts and are expected to use good computing practices to backup data, change passwords, grant access privileges to files and follow the records retention policies for their area.
• Should be considerate when using shared resources. Although there is no set limit on bandwidth, disk space, or CPU time that is applicable to all uses of College information technology resources, the College may require users of those resources to limit or refrain from specific uses if, in the opinion of the system administrator, such use interferes with the efficient operations of the system.
• Must not use information technology resources to gain unauthorized access to remote computers or to impair or damage the operations of College computers or networks, terminals or peripherals. This includes blocking communication lines and running, installing or sharing virus programs. Deliberate attempts to circumvent data protection or other security measures are not allowed.
• Should make every effort to abide by College information technology standards. Using non-standard hardware and software decreases the College's ability to maintain proficiency in procurement, installation, maintenance and life cycle management of information technology resources. Users of the College's information technology are strongly encouraged to check the standards before purchasing hardware and software.

This policy may be modified as deemed necessary by the College. Users are encouraged to periodically review the policy as posted on the web pages for Information Technology Services.

Email

For purposes of this document, email includes point-to-point messages, postings to newsgroups and listservs and any electronic messaging involving computers and computer networks. Organizational email accounts, including those used by student organizations, are held to the same standards as those for individual accounts. email is considered an official communications method of the College and generally subject to the Florida Public Records Law and the Florida Sunshine Law to the same extent as it would be on paper. email users must therefore know the laws (Policy On The Public Records Law And Email) and be mindful that College email is public information.

Examples of Inappropriate Uses of email

While not an exhaustive list, the following uses of email by individuals or organizations are considered inappropriate and unacceptable at Santa Fe College. In general, email shall not be used for the initiation or re-transmission of:

• Chain mail that misuses or disrupts resources -- email sent repeatedly from user to user, with requests to send to others.
• Harassing or hatemail -- Any threatening or abusive email sent to individuals or organizations that violates college rules and regulations or the Code of Student Conduct.
• Virus or virus hoaxes.
• Spamming or email bombing attacks -- Intentional email transmissions that disrupt normal email service.
• Junk mail -- Unsolicited email that is not related to College business and is sent without a reasonable expectation that the recipient would welcome receiving it.
• False identification -- Any actions that defraud another or misrepresent or fail to accurately identity the sender.

College Access to email

All email messages are the property of the College. As a routine, the College will not inspect email content. However, the College reserves the right to access messages under circumstances outlined in the Security and Privacy section of this policy and to save email pertaining to College business when an employee leaves the College. This access will be granted only upon written notification from the employee's supervisor to the Associate Vice President of Information Technology Services. These files may be transferred to another user if necessary to conduct College business.

Web Pages

College web pages represent the College and are intended for the official business functions of the College. Official web pages, including student organizational web pages, are expected to follow the same professional standards that apply to official publications in any other medium. For more information on web policies and guidelines refer to SF's Web Policies and Guidelines.

Commercial Use

Information technology resources are not to be used for personal commercial purposes or for personal financial gain. Occasional personal use of College information technology resources for purposes other than commercial or financial gain is permitted when it does not consume a significant amount of those resources, does not interfere with the teaching/learning process, or with the performance of a user's job or other College responsibilities, and is otherwise in compliance with this policy. Further limits may be imposed upon personal use in accordance with normal supervisory procedures concerning the use of College equipment.

Security & Privacy

The College employs various measures to safeguard its information technology resources and its users' accounts. Users should be aware, however, that the College cannot guarantee security and confidentiality. Users should therefore engage in "safe computing" practices by establishing appropriate access restrictions their accounts, guarding their passwords and changing them regularly.

Users should also be aware that their uses of College information technology resources are not completely private. While the College makes every effort to ensure privacy and does not routinely monitor individual usage of its information technology resources, the normal operation and maintenance of those resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns and other such activities that are necessary for the continuation of service. The College may also monitor the activity and accounts of individual users of College information technology resources, including individual login sessions and the content of individual communications, without notice, when:

• The user has voluntarily made them accessible to the public, as by posting to a listserv or a web page
• It reasonably appears necessary to do so to protect the integrity, security, or functionality of College information
• There is reasonable cause to believe that the user has violated or is violating this policy
• A user appears to be engaged in unusual or unusually excessive activity
• It is otherwise required or permitted by law

Any such monitoring of communications, other than what is made accessible by the user, required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by at least one College Vice President in consultation with the Associate Vice President of Information Technology Services and the College's legal counsel. The College, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate College personnel or law enforcement agencies and may use those results in appropriate College disciplinary proceedings. Communications made by means of College information technology resources are also generally subject to the Florida Public Records Law to the same extent as they would be if made on paper.

Enforcement and Penalties for Violations

The College considers any violation of this policy to be a serious offense. Violators of this policy will be referred to the appropriate College entity for disciplinary action. The College may, however temporarily suspend, block or restrict access to an account, independent of such disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of College or other computing resources or to protect the College from liability.