Home Contacts Library Site Map

Home » Faculty and Staff » Information Technology » Policies & Procedures » Computing Policy

OVERVIEW & SECURITY PLAN CHARTER

Institutional Profile

Georgia Highlands College is two-year unit of the University System of Georgia comprised of almost 3,800 students, 245 full-time faculty and staff. Information Technology, which is staffed by 16 staff members, is responsible for all technology and computer-related services as well as telecommunications on all five campus locations. This infrastructure consists of over 4,650 network nodes, 50+ servers, and 1100+ client workstations.

Overview

The Chief Information Officer is responsible for the Information Technology Department and all telecommunications for the College. The Chief Information Officer reports to the President of the institution and is a member of the President’s Cabinet. Information Technology is responsible for all aspects of design, installation, service, and support for the following areas of computing: hardware, software, dissemination of electronic data, communications, user support, helpdesk services, application and development support, network services, telecommunications, and research, strategic development, and implementation of new technologies. This service encompasses both academic and administrative computing on all five campus locations and support of additional institutional presence at other locations. Information Technology is comprised of three functional areas to accomplish this support: Client Support Services, Network Support Services, and Enterprise Application Services. In addition to the support of faculty, staff, and students, several major systems are also supported: Banner Student Information System (Student, Financial Aid, General, Accounts Receivable, Georgia Mods), Banner Web (Student, General, Faculty Advisor), Peoplesoft Financials (Budgets, Accounts Payable, Accounts Receivable, Purchasing), Peoplesoft HRMS (HR, Payroll), Compass Testing, Aceware - Continuing Education, Blackboard - DataCard Services, Pharos Student Printing, Inventory, Web Services, and Exchange Groupware (E-mail, Calendaring, Document Sharing). Furthermore, all telecommunications for the college are the responsibility of the Chief Information Officer and IT Department as well. This includes all voice and data circuits, user support, and communications with both GTA and Bellsouth.

Purpose

Georgia Highlands College considers electronic information resources to be a valuable asset. These resources include items such as systems, servers, data, hardware, software, applications, networks, and other related technologies. These assets are important to business continuity and should be treated as such. The College makes every effort to ensure these assets are protected, vulnerabilities to threat are minimized, and future security incidents are mitigated where possible. These threats arise from a variety of sources both internal and external, and intentional and accidental in nature.

The following Information Security Guidelines, Policies, and Procedures formally designate the measures and controls used at Georgia Highlands College to provide Information Security. Georgia Highlands College, like other institutions, recognizes the seriousness and complexities of security information resources. Protection from all threats and vulnerabilities could never be completely achieved, but it is the principle of this plan that every effort be made towards that goal by all members of the institution.

Organization

Information Security must be a group effort to be successful. It is naïve to think one person or one department can effectively manage and protect all the information resources of a complex institution. Information Technology in itself is ever changing and a moving target at best. Something as important as information security must have a formal place in the mind of the institution. This must start with the President and senior administration. The President of Georgia Highlands College has appointed the Chief Information Officer to spearhead the effort of maintaining an Information Security Plan. Although several departments and many individuals will play a role in successful maintenance of such a plan, the Chief Information Officer will oversee the plan and report the successes and the failures of the plan to the President and President’s Cabinet. The Chief Information Officer, with the assistance of the Information Security Coordinator and other Information Technology members, will direct the plan and make recommendations for changes annually. The original plan and incremental changes to the plan will require the approval of the President’s Cabinet with final approval of the President.

The Information Security Plan has many components. Not all of these components will rest in the hands of Information Technology. Several key controls reside in other areas of the institution. Training and Communication are vital aspects to this plan. Unless all employees understand the seriousness of the plan and their individual responsibilities in working with information resources, risks and threats will occur. The Human Resources Director will be critical in assisting with this aspect of communication, training, and enforcement of the plan. New procedures will need to be implemented for all college personnel. Ongoing training to distribute new policies and procedures will also have to be coordinated. Likewise, the College Relations Director also will play a vital part in disseminating information to internal and external audiences in the event of security incidents or disasters. This College Relations Office will deliver an official statement for the institution should the need arise. The Vice President of Finance and Administration will also assist in defining business continuity plans as well as enforcing certain guidelines for staff with higher levels of system access. Other departments, such as the Registrar’s Office, Financial Aid, and Admissions, will also have similar constraints to be placed upon users of system data.

Certain policies within this plan also call upon task forces to be assembled in the event of certain incidents. These will be detailed in the Responsibilities section of this plan.

Scope

The policies and guidelines in this plan apply to all campuses of Georgia Highlands College and subsequently all faculty, staff, and students of the institution. The Chief Information Officer will make recommendations regarding information security guidelines and policies to the President’s Cabinet for approval. Supervisors are expected to inform users about all relevant policies and see that they are enforced. The Human Resources Department will also assist in employee matters, maintain certain training requirements, and notify Information Technology of the entrance or departure of faculty and staff for account maintenance.

It is important that all faculty, staff, and students understand the seriousness of these policies and possible repercussions in not following them. All users have expectations upon them of upholding these policies and protecting both data and their account access. Some college staff also have additional requirements due to the sensitivity of data in which they have access. Supervisors must also hold their staff to these standards and treat misuse and abuse seriously. A range of consequences to this misuse can and will be set in motion that could even lead to termination depending upon the seriousness of the abuse or inappropriate action of the employee.

Responsibilities

  1. Responsibility for Guidelines and Policies 

The Chief Information Officer is responsible for maintenance of the plan policies and guidelines in conjunction with the Information Security Coordinator and other Information Technology staff. It is also the responsibility of the Chief Information Officer to coordinate with other team members called upon in this plan for the purposes of directing additional elements of the plan outside of the information technology area. Finally, the Chief Information Officer will annually review this plan and bring necessary changes to the President’s Cabinet for approval. 

  1. User Responsibilities

Users of Georgia Highlands College’s information resources are responsible for complying with all Information Security Policies and Guidelines. Users are responsible for both the accounts they have been entrusted with and the data in which they come in contact. Appropriate security measures must be followed. Users must also report to Information Technology when an incident has occurred or suspicion of possible misuse has transpired.

  1. Information Technology Responsibilities

Information Technology staff members must comply with all policies and take additional precautions due to the level of security access they have to many systems. Likewise, systems owners have an even higher burden of duty to ensure all systems are safe, protected, backed-up, audited regularly, and that information is kept secure and confidential. 

Information Technology must determine specific security precautions on systems that have been identified in risk assessments and work with those systems users to ensure all precautions and policies are followed.

Information Technology staff creating and removing employee accounts must incorporate approval and review processes for authorizing or deactivating accounts. Special account access must follow established procedures for gaining this access through the area supervisor. In most cases this consent must be from a trusted method, other than by telephone. 

Information Technology should minimize the distribution of administration accounts to systems and allow only required personnel to have access to certain information and capabilities that are required to conduct their job duties. 

Information Technology should allow only authorized systems owners to make changes to software and applications based on their approved roles and carried out with approved procedures.

Information Technology systems owners must use system logs and audit their systems in monitoring access to information resources. 

Information Technology systems owners must maintain appropriate backups of their systems and data. They are also responsible for overseeing off-site backup procedures. 

Information Technology must regularly update and test the disaster recovery plan to ensure all measures are appropriate and in place in case of an emergency.

Information Technology must ensure that certain access controls are in place such as: perimeter firewalls, patched servers, proper documentation of systems, backups, disaster recovery tests, and incident response plans to maintain essential business function in the event of a disaster. These would also include any established physical controls as well.

  1.  The Computer Incident Response Team (CIRT) Responsibilities 

The Computer Incident Response Team will be comprised primarily of technical staff. The Chief Information Officer will head up the team as Team Manager. The Team Manager will be responsible for alerting group members, gathering preliminary information with the team, determining a final decision on incident severity, activating and coordinating other teams depending upon severity, overseeing response of incident, and reporting findings at the incident’s conclusion. The (CIRT) group will also consist of the Information Security Officer, any network, client support, or application/development technical staff deemed necessary, and someone to document the response. Depending on the severity of the incident, senior administration will also be alerted to the incident and provided with updates until resolution occurs. Generally, if one of their areas is affected, they will also be serving on the Communications Team. 

E.   Communications Team Membership and Responsibilities

The Communications Team on campus will consist of senior administration and members from the Office of College Relations. The Director of College Relations will serve as the Team Manager for this group. They will coordinate with the CIRT Team Manager, other team members, and the President of the college. The Communications Team Manager will decide which senior team members to activate depending upon the severity of the incident and which areas of the college are affected. They will also assist the CIRT Team Manager in the need for activating the Extended Team. The role of this group is to effectively communicate information to the college community and greater public if necessary on incidents that deal with sensitive information.

F.     Extended Team Membership and Responsibilities

The Extended Team is comprised of the Director of Human Resources, any other staff/faculty members that may be needed, and legal counsel if necessary. This team is called in to action when an incident involves information pertaining or involving an employee and/or when the incident may involve legal action.

Revision History

12/09/04 Policy origination jp